Unable to Save SOAP Notes

Management and Administration
#1

I recently upgraded to version 5.0.1 (6) of OpenEMR. Since then When a doctor types SOAP notes and click the Save button, the following error message displays on the client side (browser):

“There was an OpenEMR SQL Escaping ERROR of the following string rosENTComment”

The is no error entry in the log files: apache2.log, syserror or mysql.log

This problem was not occurring with 5.0.0. The SOAP interface was customized many years (2013) ago but never experienced this issue until the latest version upgrade. The customized SOAP and EVAL interfaces have gone through many versions upgrades without any problem until now.

Any assistance will be greatly appreciated as the doctors cannot use the software. The only recourse is to downgrade to the previous version if this problem is unresolvable - but I want that to be the last option.

Below is the table structure of the customized soap table:

CREATE TABLE form_psych_soap (
id BIGINT(20) NOT NULL AUTO_INCREMENT,
date DATETIME NULL DEFAULT NULL,
pid BIGINT(20) NULL DEFAULT ‘0’,
user VARCHAR(255) NULL DEFAULT NULL,
groupname VARCHAR(255) NULL DEFAULT NULL,
authorized TINYINT(4) NULL DEFAULT ‘0’,
activity TINYINT(4) NULL DEFAULT ‘0’,
subjective TEXT NULL,
objective TEXT NULL,
Axis_I TEXT NULL,
Axis_II TEXT NULL,
Axis_III TEXT NULL,
Axis_IV TEXT NULL,
Axis_V TEXT NULL,
plan TEXT NULL,
Medications TEXT NULL,
Return_Visit DATETIME NULL DEFAULT NULL,
start_time VARCHAR(5) NULL DEFAULT NULL,
end_time VARCHAR(5) NULL DEFAULT NULL,
supervising VARCHAR(255) NULL DEFAULT NULL,
supervisingSign VARCHAR(255) NULL DEFAULT NULL,
attending VARCHAR(255) NULL DEFAULT NULL,
attendingSign VARCHAR(255) NULL DEFAULT NULL,
patientPresent TINYINT(1) NULL DEFAULT ‘0’,
familyPresent TINYINT(1) NULL DEFAULT ‘0’,
otherPresent TINYINT(1) NULL DEFAULT ‘0’,
otherComment VARCHAR(255) NULL DEFAULT NULL,
problem TEXT NULL,
symptoms TEXT NULL,
pastHistory TEXT NULL,
rosCons TINYINT(1) NULL DEFAULT ‘0’,
rosConsComment VARCHAR(255) NULL DEFAULT NULL,
rosEyes TINYINT(1) NULL DEFAULT ‘0’,
rosEyesComment VARCHAR(255) NULL DEFAULT NULL,
rosENT TINYINT(1) NULL DEFAULT ‘0’,
rosEntComment VARCHAR(255) NULL DEFAULT NULL,
rosCardio TINYINT(1) NULL DEFAULT ‘0’,
rosCardioComment VARCHAR(255) NULL DEFAULT NULL,
rosResp TINYINT(1) NULL DEFAULT ‘0’,
rosRespComment VARCHAR(255) NULL DEFAULT NULL,
rosGast TINYINT(1) NULL DEFAULT ‘0’,
rosGastComment VARCHAR(255) NULL DEFAULT NULL,
rosGenit TINYINT(1) NULL DEFAULT ‘0’,
rosGenitComment VARCHAR(255) NULL DEFAULT NULL,
rosMusc TINYINT(1) NULL DEFAULT ‘0’,
rosMuscComment VARCHAR(255) NULL DEFAULT NULL,
rosInteg TINYINT(1) NULL DEFAULT ‘0’,
rosIntegComment VARCHAR(255) NULL DEFAULT NULL,
rosNeuro TINYINT(1) NULL DEFAULT ‘0’,
rosNeuroComment VARCHAR(255) NULL DEFAULT NULL,
rosEndo TINYINT(1) NULL DEFAULT ‘0’,
rosEndoComment VARCHAR(255) NULL DEFAULT NULL,
rosHemLym TINYINT(1) NULL DEFAULT ‘0’,
rosHemLymComment VARCHAR(255) NULL DEFAULT NULL,
rosAllerg TINYINT(1) NULL DEFAULT ‘0’,
rosAllergComment VARCHAR(255) NULL DEFAULT NULL,
medicalRecords TEXT NULL,
pcProblem TINYINT(1) NULL DEFAULT ‘0’,
pcStatus TINYINT(1) NULL DEFAULT ‘0’,
pcStable TINYINT(1) NULL DEFAULT ‘0’,
pcIMR TINYINT(1) NULL DEFAULT ‘0’,
pcComplications TINYINT(1) NULL DEFAULT ‘0’,
pcIMPC TINYINT(1) NULL DEFAULT ‘0’,
pcNotes TEXT NULL,
labs TEXT NULL,
educationA TINYINT(1) NULL DEFAULT ‘0’,
educationB TINYINT(1) NULL DEFAULT ‘0’,
suicidality TINYINT(4) NOT NULL DEFAULT ‘0’,
safetyPlanAction TEXT NULL,
homicidality TINYINT(4) NULL DEFAULT NULL,
homicidalitySafetyPlanAction TEXT NULL,
PRIMARY KEY (id)
)
COLLATE=‘utf8_general_ci’
ENGINE=InnoDB
AUTO_INCREMENT=156
;

Bisi

#2

Hi @badedokun ,

The rosENTComment column does not exist in your table, which is why it is dying. Looks like the column is supposed to be rosEntComment. Guessing need a fix in the form.
(btw, the reason this breaks on 5.0.1 is because we have sql-injection mechanisms in place to ensure the column actually exists before running the query)

-brady

#3

Hi Brady,

Thanks for your comment. I changed entry in save.php to match the column in the table (rosEntComment) but that still did not solve the problem. Is there any other form that I need to change?

The folder where the save.php form is located is:
/var/www/openemr/interface/forms/ohp_psychiatric_SOAP#

Below is the relevant code snippet from the save.php form:

unset($_POST['duration']);
require_once("../../globals.php");
require_once("$srcdir/htmlspecialchars.inc.php");
include_once("$srcdir/api.inc");
include_once("$srcdir/forms.inc");


  $data['objective']='';
  $data['Axis_I']='';
  $data['Axis_II']='';
  $data['Axis_III']='';
  $data['Axis_IV']='';
  $data['Axis_V']='';
  $data['plan']='';
  $data['Medications']='';
  $data['Return_Visit']='';
  $data['supervising']='';
  $data['supervisingSign']='';
  $data['attending']='';
  $data['attendingSign']='';
  $data['patientPresent']='';
  $data['familyPresent']='';
  $data['otherPresent']='';
  $data['otherComment']='';
  $data['problem']='';
  $data['symptoms']='';
  $data['pastHistory']='';
  $data['rosCons']='';
  $data['rosConsComment']='';
  $data['rosEyes']='';
  $data['rosEyesComment']='';
  $data['rosENT']='';
  $data['rosEntComment']='';
  $data['rosCardio']='';
  $data['rosCardioComment']='';
  $data['rosResp']='';
  $data['rosRespComment']='';
  $data['rosGast']='';
  $data['rosGastComment']='';
  $data['rosGenit']='';
  $data['rosGenitComment']='';
  $data['rosMusc']='';
  $data['rosMuscComment']='';
  $data['rosInteg']='';
  $data['rosIntegComment']='';
  $data['rosNeuro']='';
  $data['rosNeuroComment']='';
  $data['rosEndo']='';
  $data['rosEndoComment']='';
  $data['rosHemLym']='';
  $data['rosHemLymComment']='';
  $data['rosAllerg']='';
  $data['rosAllergComment']='';
  $data['medicalRecords']='';
  $data['pcProblem']='';
  $data['pcStatus']='';
  $data['pcStable']='';
  $data['pcIMR']='';
  $data['pcComplications']='';
  $data['pcIMPC']='';
  $data['pcNotes']='';

$data[‘labs’]=’’;
$data[‘educationA’]=’’;
$data[‘educationB’]=’’;

// print_r($_POST);
// echo ‘

’;
foreach($data as $i=>$v){ 
    if(!isset($_POST[trim($i)])){

// echo $i.’
’;

      $_POST[$i] = '';
    }
  }

// print_r($_POST);
// echo ‘

’;
// die; 
$dateArray = getEncounterDateByEncounter($encounter);

$gafScore = $_POST['gafVal'];
$gafString = '';

if($gafScore != ‘’){
$gafTimeFrame = trim($_POST[‘gafTimeFrame’]);
$gafDescTxt = trim($_POST[‘gafDescTxt’]);
$gafString = removeTimeFromDate($dateArray[‘date’]).’ - GAF : ‘.$gafScore.’ '.$gafTimeFrame.PHP_EOL;
}
unset($_POST[‘gafVal’],$_POST[‘gafTimeFrame’],$_POST[‘gafDescTxt’]);

$_POST['Axis_V'] = $gafString.PHP_EOL.( isset($_POST['Axis_V']) ? trim($_POST['Axis_V']) : '' );
foreach($_POST as $i=>$v)
  $_POST[$i] = addslashes($v);

// print_r($_POST);

// echo '$_GET[“id”] = '.$_GET[“id”];

$start_time = '';

if(isset($_POST[‘start_time_hr’]) && isset($_POST[‘start_time_min’]) && strlen($_POST[‘start_time_hr’]) == 2 && strlen($_POST[‘start_time_min’]) == 2){
$start_time = $_POST[‘start_time_hr’].":".$_POST[‘start_time_min’];
unset($_POST[‘start_time_hr’]);
unset($_POST[‘start_time_min’]);
}
$end_time = ‘’;
if(isset($_POST[‘end_time_hr’]) && isset($_POST[‘end_time_min’]) && strlen($_POST[‘end_time_hr’]) == 2 && strlen($_POST[‘end_time_min’]) == 2){
$end_time = $_POST[‘end_time_hr’].":".$_POST[‘end_time_min’];
unset($_POST[‘end_time_hr’]);
unset($_POST[‘end_time_min’]);
}

$_POST[‘start_time’] = $start_time;
$_POST[‘end_time’] = $end_time;

$_POST[‘Return_Visit’] = date(‘Y-m-d H:i:s’, strtotime(str_replace(’-’, ‘/’, $_POST[‘Return_Visit’])));

foreach($_POST as $i=>$v){
if($v == ‘on’) $_POST[$i] = 1;
}

// print_r($_POST);
//
// echo ‘

’.$_GET[“mode”];
//
//
// die;

if ($_GET[“mode”] == “new”){
$newid = formSubmit(‘form_psych_soap’, $_POST, ‘’, $userauthorized);
addForm($encounter, “Psychiatric SOAP Form”, $newid, “ohp_psychiatric_SOAP”, $pid, $userauthorized);
}else{
formUpdate (‘form_psych_soap’, $_POST, $_GET[“id”], $userauthorized);
}
@formJump();

Regards,
Bisi

#4

Hi @badedokun ,

What do the new and view files look like (you likely need to change the id for the entry there to the correct name to get it to work).

-brady

#5

Hi Brady,

Thanks for the suggestion. I reviewed both files, but nothing jumps out to point to where the error may be. In the view file, the line where the form and id is retrieved is:

$data = $returnArray = formFetch (‘form_psych_soap’, $_GET[‘id’]);

It appears the id is being retrieved dynamically.

The new file looks similar to the save file.

Is there a way I can send you the new and view files? I think I may still be missing something I cannot identify.

Thank you for your help. Much appreciated.

Regards,
Bisi

#6

Hi @badedokun ,

Sure thing. send them to brady.g.miller@gmail.com .

-brady