67990b474e21e7dbbf122f96310c42a76cbf2452
max
  Wed Jun 12 11:03:39 2013 -0700
fix to fox for sql injection problem, suggested by galt
diff --git src/hg/hgTracks/pubsTracks.c src/hg/hgTracks/pubsTracks.c
index 9023b84..8f52155 100644
--- src/hg/hgTracks/pubsTracks.c
+++ src/hg/hgTracks/pubsTracks.c
@@ -445,31 +445,31 @@
 }
 
 static struct hash* pubsLookupSequences(struct track *tg, struct sqlConnection* conn, char *articleId, bool getSnippet)
 /* create a hash with a mapping annotId -> snippet or annotId -> shortSeq for an articleId*/
 {
     struct dyString *dy = dyStringNew(LARGEBUF);
     char *sequenceTable = trackDbRequiredSetting(tg->tdb, "pubsSequenceTable");
 
     // work around sql injection fix problem, suggested by galt
     sqlDyStringPrintf(dy, "SELECT annotId, ");
 
      if (getSnippet)
         dyStringAppend(dy, "replace(replace(snippet, \"<B>\", \"\\n>>> \"), \"</B>\", \" <<<\\n\")" );
     else
         dyStringAppend(dy, "concat(substr(sequence,1,4),\"...\",substr(sequence,-4))" );
-    dyStringPrintf(dy, " FROM %s WHERE articleId='%s' ", sequenceTable, articleId);
+    sqlDyStringPrintf(dy, " FROM %s WHERE articleId='%s' ", sequenceTable, articleId);
     // end sql injection fix
 
     struct hash *seqIdHash = sqlQuickHash(conn, dy->string);
 
     //freeMem(sequenceTable); // trackDbRequiredSetting returns a value in a hash, so do not free
     freeDyString(&dy);
     return seqIdHash;
 }
 
 static char *pubsArticleDispId(struct track *tg, struct sqlConnection *conn, char *articleId)
 /* given an articleId, lookup author and year and create <author><year> label for it */
 {
 char *dispLabel = NULL;
 char *articleTable = pubsArticleTable(tg);
 char query[LARGEBUF];