This version supports both php4 and php5, and includes AutoExecute(), which automatically prepares and executes an SQL statement. Moving to AutoExecute() goes a long way toward addressing the SQL injection problems, and will give me a better way to fix the escaping problems my users continue to find.
What is the release process and schedule for new versions of OpenEMR?
Our schedule for a new release was in April. There have been a lot of recent big commits and the the other developers primarily Rod and Cristian (lemonsoftwarero) wanted time to consolidate these recent changes.
Either way I have been requesting to stop new feature requests and publish a new release now. For those who need to upgrade it makes it easier to make small upgrades instead of large upgrades. (Easier to trouble shoot error messages).
"AutoExecute() goes a long way toward addressing the SQL injection problems"
If I understand correctly AutoExecute(), is a stored procedure that works on server to execute the SQL statement. Stored procedure are more difficult to "cheat" with an SQL statement are one of th eways to help improve security.
I agree that updating to ADODB is overdue. An ADODB update may break a lot of things and may be worth doing as a separate branch before committing it completely.
I’ve already upgraded adodb on my test bed and everything seems to be working fine.
As I’ve worked through the escaping errors my users keep finding, I’ve found some interesting and rather strange things about the qstr function. All strings get prefixed and appended by a single quote, which immediately breaks an insert for a string that does not need escaping. Reading the adodb.inc file I see that there is another, undocumented function called addq that adds escaping to a string only if it is needed–like I’d expect qstr to do–and does not prefix and append a single quote to the string. However, since it is an undocumented function and not in the published API, it is risky to call it directly and expect it to continue to work as published after an upgrade.
AutoExecute makes all of this just work without any calls to qstr or addq, after, of course, all insert and update statements are re-written to use it, but that is work that I’ll need to do as a part of moving our backend to PostgreSQL anyway. Certainly this move to autoexecute should happen in the next release, but I’d think the upgrade to adodb could happen before this release is locked down.
