ef7ce6e04d479590353139876d0fa409b861b259
galt
  Wed Jun 12 14:10:52 2013 -0700
removing unneeded fix-sqli functions
diff --git src/hg/lib/jksql.c src/hg/lib/jksql.c
index 7a714cd..7ac9f5f 100644
--- src/hg/lib/jksql.c
+++ src/hg/lib/jksql.c
@@ -2792,164 +2792,76 @@
 
 	return FALSE;  // might want to look at hg.conf settings and if debugging, show details.
 	}
     }
 return TRUE;
 }
 
 static void sqlCheckDisallowAllChars(char disAllowed[256])
 /* Disallow all chars by setting to 1 */
 {
 int i;
 for(i=0;i<256;++i)
     disAllowed[i] = 1;
 }
 
-static void sqlCheckAllowAllChars(char disAllowed[256])
-/* Allow all chars by setting to 0 */
-{
-int i;
-for(i=0;i<256;++i)
-    disAllowed[i] = 0;
-}
-
 static void sqlCheckAllowLowerChars(char allowed[256])
 /* Allow lower case chars by setting to 0 */
 {
 unsigned char c;
 for(c='a';c<='z';++c)
     allowed[c] = 0;
 }
 
 static void sqlCheckAllowUpperChars(char allowed[256])
 /* Allow upper case chars by setting to 0 */
 {
 unsigned char c;
 for(c='A';c<='Z';++c)
     allowed[c] = 0;
 }
 
 static void sqlCheckAllowDigitChars(char allowed[256])
 /* Allow digit chars by setting to 0 */
 {
 unsigned char c;
 for(c='0';c<='9';++c)
     allowed[c] = 0;
 }
 
 static void sqlCheckAllowChar(unsigned char c, char allowed[256])
 /* Allow a char by setting to 0 */
 {
 allowed[c] = 0;
 }
 
-static void sqlCheckDisallowChar(unsigned char c, char allowed[256])
-/* Allow a char by setting to 0 */
-{
-allowed[c] = 1;
-}
-
 static void sqlCheckAllowAlphaChars(char allowed[256])
 /* Allow all chars by setting to 0 */
 {
 sqlCheckAllowUpperChars(allowed);
 sqlCheckAllowLowerChars(allowed);
 }
 
 static void sqlCheckAllowAlphaNumChars(char allowed[256])
 /* Allow all chars by setting to 0 */
 {
 sqlCheckAllowAlphaChars(allowed);
 sqlCheckAllowDigitChars(allowed);
 }
 
-static boolean sqlCheckNeedsEscape(char *s)
-/* Check if string s needs escaping. Usually it doesn't need it. */
-{
-static boolean init = FALSE;
-static char disallowed[256];
-if (!init)
-    {
-    sqlCheckAllowAllChars(disallowed);
-    sqlCheckDisallowChar('\''  , disallowed);  // single-quote
-    sqlCheckDisallowChar('"'   , disallowed);  // double-quote
-    sqlCheckDisallowChar('\\'  , disallowed);  // back-slash
-    sqlCheckDisallowChar('\r'  , disallowed);  // carriage-return
-    sqlCheckDisallowChar('\n'  , disallowed);  // newline or linefeed
-    sqlCheckDisallowChar('\x1a', disallowed);  // ctrl-Z or 26 dec or 1a hex.
-    // technically, 0 can be escaped but we are doing strings and not general binary data here.
-    init = TRUE;
-    }
-if (sqlCheckAllowedChars(s, disallowed))
-    {
-    return FALSE;
-    }
-return TRUE;
-}
 
-// TODO This is probably not needed
-char *sqlEscapeIfNeeded(char *s, char **pS)
-/* Escape if needed.  if *pS is not null, free it.  */
-{
-char *ret = NULL;
-if (sqlCheckNeedsEscape(s))
-    {
-    ret = sqlEscapeString(s);
-    if (pS)
-	*pS = ret;
-    }
-else
-    {
-    if (pS)
-	*pS = NULL;
-    ret = s;
-    }
-return ret;
-}
-
-char *sqlCheckQuotedLiteral(char *s)
-/* Check that none of the chars needing to be escaped are in the string s */
-{
-if (sqlCheckNeedsEscape(s))
-    {
-    sqlCheckError("Forbidden characters like quotes, newlines, or backslashes found in quoted string literal %s", s);
-    }
-return s;
-}
-
-char *sqlCheckAlphaNum(char *word)
-/* Check that only valid alpha numeric characters are used in word */
-{
-static boolean init = FALSE;
-static char allowed[256];
-if (!init)
-    {
-    sqlCheckDisallowAllChars(allowed);
-    sqlCheckAllowAlphaNumChars(allowed);
-    init = TRUE;
-    }
-if (!sqlCheckAllowedChars(word, allowed))
-    {
-    sqlCheckError("Illegal character found in %s", word);
-    }
-return word;
-}
-
-// TODO as much as I liked this function sqlCheckIdentifiersList,
-// it may not be used much, so see if you can remove it
-// and just add a little workaound for the remaining place(s) that use it.
-// This one is probably here to stay.
+/* Currently used 10 times in the code via define sqlChkIl. */
 char *sqlCheckIdentifiersList(char *identifiers)
 /* Check that only valid identifier characters are used in a comma-separated list */
 {
 static boolean init = FALSE;
 static char allowed[256];
 if (!init)
     {
     sqlCheckDisallowAllChars(allowed);
     sqlCheckAllowAlphaNumChars(allowed);
     sqlCheckAllowChar('.', allowed);
     sqlCheckAllowChar('_', allowed);
     // sqlTableExists looks like a single table check, but apparently it has become abused
     // to support multiple tables e.g. sqlTableExists 
     sqlCheckAllowChar(' ', allowed);
     sqlCheckAllowChar(',', allowed);
@@ -3001,88 +2913,51 @@
 	needText = FALSE;
 	spaceOk = FALSE;
 	}
     
     ++i;	    
     }
 if (needText || spaceOk)
     {
     sqlCheckError("Invalid Identifiers List [%s] unexpected trailing comma or space character", identifiers);
     return identifiers;
     }
 
 return identifiers;
 }
 
-static char *sqlCheckIdentifierKind(char *identifier, char *kind)
+char *sqlCheckIdentifier(char *identifier)
 /* Check that only valid identifier characters are used */
 {
 static boolean init = FALSE;
 static char allowed[256];
 if (!init)
     {
     sqlCheckDisallowAllChars(allowed);
     sqlCheckAllowAlphaNumChars(allowed);
     sqlCheckAllowChar('.', allowed);
     sqlCheckAllowChar('_', allowed);
     // NOTE it is important for security that no other characters be allowed here
     init = TRUE;
     }
 if (!sqlCheckAllowedChars(identifier, allowed))
     {
-    sqlCheckError("Illegal character found in %s %s", kind, identifier);
+    sqlCheckError("Illegal character found in identifier %s", identifier);
     }
 return identifier;
 }
 
-char *sqlCheckIdentifier(char *identifier)
-/* Check that only valid identifier characters are used */
-{
-return sqlCheckIdentifierKind(identifier, "identifier");
-}
-
-// TODO not sure this one is really needed. Regular identifier check works well enough.
-// included this one originally in case it was used alot and needed to be a 
-// little different from identifier check.
-char *sqlCheckTableName(char *table)
-/* Check that only valid table name characters are used */
-{
-return sqlCheckIdentifierKind(table, "table");
-}
-
-// TODO not sure we really need this function. could probably just use sqlCheckIdentifier instead.
-char *sqlCheckCgiEncodedName(char *name)
-/* Check that only valid cgi-encoded characters are used */
-{
-static boolean init = FALSE;
-static char allowed[256];
-if (!init)
-    {
-    sqlCheckDisallowAllChars(allowed);
-    sqlCheckAllowAlphaNumChars(allowed);
-    sqlCheckAllowChar('.', allowed);
-    sqlCheckAllowChar('_', allowed);
-    sqlCheckAllowChar('%', allowed);
-    init = TRUE;
-    }
-if (!sqlCheckAllowedChars(name, allowed))
-    {
-    sqlCheckError("Illegal character found in table name %s", name);
-    }
-return name;
-}
-
 
 /* --------------------------- */
 
 int sqlEscapeAllStrings(char *buffer, char *s, int bufSize, char escPunc)
 /* Escape all strings demarked by escPunc char. *
  * Returns final size not including terminating 0. 
  * User needs to pre-allocate enough space that mysql_escape will never run out of space.
  * This function should be efficient on statements with many strings to be escaped. */
 {
 char *sOrig = s;
 int sz = 0;
 int remainder = bufSize;
 boolean done = FALSE;
 while (1)
     {
@@ -3333,61 +3208,62 @@
 /* Format string to buffer, vsprintf style, only with buffer overflow
  * checking.  The resulting string is always terminated with zero byte. */
 {
 int sz = vaSqlSafefNoAbort(buffer, bufSize, TRUE, format, args);
 if ((sz < 0) || (sz >= bufSize))
     {
     buffer[bufSize-1] = (char) 0;
     errAbort("buffer overflow, size %d, format: %s, buffer: '%s'", bufSize, format, buffer);
     }
 return sz;
 }
 
 int sqlSafef(char* buffer, int bufSize, char *format, ...)
 /* Format string to buffer, vsprintf style, only with buffer overflow
  * checking.  The resulting string is always terminated with zero byte. 
- * Scans string parameters for illegal sql chars. */
+ * Scans unquoted string parameters for illegal literal sql chars.
+ * Escapes quoted string parameters. */
 {
 int sz;
 va_list args;
 va_start(args, format);
 sz = vaSqlSafef(buffer, bufSize, format, args);
 va_end(args);
 return sz;
 }
 
 
 int vaSqlSafefFrag(char* buffer, int bufSize, char *format, va_list args)
 /* Format string to buffer, vsprintf style, only with buffer overflow
  * checking.  The resulting string is always terminated with zero byte. 
- * This version does not add the tag since it is assumed to be just a fragment of
+ * This version does not add the NOSQLINJ tag since it is assumed to be just a fragment of
  * the entire sql string. */
 {
 int sz = vaSqlSafefNoAbort(buffer, bufSize, FALSE, format, args);
 if ((sz < 0) || (sz >= bufSize))
     {
     buffer[bufSize-1] = (char) 0;
     errAbort("buffer overflow, size %d, format: %s, buffer: '%s'", bufSize, format, buffer);
     }
 return sz;
 }
 
 int sqlSafefFrag(char* buffer, int bufSize, char *format, ...)
 /* Format string to buffer, vsprintf style, only with buffer overflow
  * checking.  The resulting string is always terminated with zero byte. 
  * Scans string parameters for illegal sql chars. 
- * This version does not add the tag since it is assumed to be just a fragment of
+ * This version does not add the NOSQLINJ tag since it is assumed to be just a fragment of
  * the entire sql string. */
 {
 int sz;
 va_list args;
 va_start(args, format);
 sz = vaSqlSafefFrag(buffer, bufSize, format, args);
 va_end(args);
 return sz;
 }
 
 
 
 /* --------------------------- */
 
 
@@ -3429,64 +3305,57 @@
 /* VarArgs Printf to end of dyString after scanning string parameters for illegal sql chars. */
 {
 sqlDyStringVaPrintfExt(ds, FALSE, format, args);
 }
 
 void sqlDyStringPrintf(struct dyString *ds, char *format, ...)
 /*  Printf to end of dyString after scanning string parameters for illegal sql chars. */
 {
 va_list args;
 va_start(args, format);
 sqlDyStringVaPrintf(ds, format, args);
 va_end(args);
 }
 
 void sqlDyStringVaPrintfFrag(struct dyString *ds, char *format, va_list args)
-/* VarArgs Printf to end of dyString after scanning string parameters for illegal sql chars. NOSLQINJ tag is not added. */
+/* VarArgs Printf to end of dyString after scanning string parameters for illegal sql chars. 
+ * NOSLQINJ tag is not added. */
 {
 sqlDyStringVaPrintfExt(ds, TRUE, format, args);
 }
 
 void sqlDyStringPrintfFrag(struct dyString *ds, char *format, ...)
-/*  Printf to end of dyString after scanning string parameters for illegal sql chars. NOSLQINJ tag is not added. */
+/* Printf to end of dyString after scanning string parameters for illegal sql chars. 
+ * NOSLQINJ tag is not added. */
 {
 va_list args;
 va_start(args, format);
 sqlDyStringVaPrintfFrag(ds, format, args);
 va_end(args);
 }
 
 
 void sqlDyStringAppend(struct dyString *ds, char *string)
 /* Append zero terminated string to end of dyString.
  * Makes sure the NOSQLINJ prefix gets added if needed */
 {
 if (ds->stringSize == 0)
     dyStringAppend(ds, "NOSQLINJ ");
 dyStringAppendN(ds, string, strlen(string));
 }
 
 
-// TODO probably do not need this one now that we have sqlDyStringPrintfFrag
-char *sqlDyStringFrag(struct dyString *ds)
-/* If ds is only a sql fragment, do not need leading NOSQLINJ tag */
-{
-if (startsWith("NOSQLINJ ", ds->string))
-    return ds->string + strlen("NOSQLINJ ");
-return ds->string;
-}
-
 struct dyString *sqlDyStringCreate(char *format, ...)
 /* Create a dyString with a printf style initial content 
  * Makes sure the NOSQLINJ prefix gets added if needed */
 {
 int len = strlen(format) * 3;
 struct dyString *ds = newDyString(len);
 va_list args;
 va_start(args, format);
 sqlDyStringVaPrintf(ds, format, args);
 va_end(args);
 return ds;
 }
 
 
 void sqlCheckError(char *format, ...)