080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/das/das.c src/hg/das/das.c
index e356ee1..166582d 100644
--- src/hg/das/das.c
+++ src/hg/das/das.c
@@ -226,31 +226,31 @@
 lineFileClose(&lf);
 return disabled;
 }
 
 static struct hash *mkTrackTypeHash()
 /* build a hash of track name to type */
 {
 struct sqlConnection *conn = hAllocConn(database);
 struct hash *hash = hashNew(10);
 struct slName *trackDb, *trackDbs = hTrackDbList();
 for (trackDb = trackDbs; trackDb != NULL; trackDb = trackDb->next)
     {
     if (sqlTableExists(conn, trackDb->name))
         {
         char query[128];
-        safef(query, sizeof(query), "select tableName,type,settings from %s", trackDb->name);
+        sqlSafef(query, sizeof(query), "select tableName,type,settings from %s", trackDb->name);
         struct sqlResult *sr = sqlGetResult(conn, query);
         char **row;
         while ((row = sqlNextRow(sr)) != NULL)
             {
             if (dasableType(row[1]) && !disabledViaSettings(row[2]) && (hashLookup(hash, row[0]) == NULL))
                 hashAdd(hash, row[0], NULL);
             }
         sqlFreeResult(&sr);
         }
     }
 slFreeList(&trackDbs);
 hFreeConn(&conn);
 return hash;
 }
 
@@ -291,31 +291,31 @@
 return hashLookup(skips, name) != NULL;
 }
 
 static struct tableDef *getTables()
 /* Get all tables. */
 {
 struct sqlConnection *conn = hAllocConn(database);
 struct hash *hash = newHash(0);
 struct tableDef *tdList = NULL, *td;
 struct sqlResult *sr;
 char **row;
 char *table, *root;
 boolean isSplit, hasBin;
 char chromField[32], startField[32], endField[32];
 
-sr = sqlGetResult(conn, "show tables");
+sr = sqlGetResult(conn, "NOSQLINJ show tables");
 while ((row = sqlNextRow(sr)) != NULL)
     {
     table = root = row[0];
     if (hFindFieldsAndBin(database, table, chromField, startField, endField, &hasBin))
 	{
 	isSplit = tableIsSplit(table);
 	if (isSplit)
 	    root = skipOverChrom(table);
 	if (!skipTable(root) && dasableTrack(root))
 	    {
 	    if ((td = hashFindVal(hash, root)) == NULL)
 		{
 		AllocVar(td);
 		slAddHead(&tdList, td);
 		hashAdd(hash, root, td);
@@ -582,80 +582,80 @@
 
 static int countFeatures(struct tableDef *td, struct segment *segmentList)
 /* Count all the features in a given segment. */
 {
 struct segment *segment;
 int acc = 0;
 struct sqlConnection *conn = hAllocConn(database);
 char chrTable[256];
 char query[512];
 struct slName *n;
 
 if (segmentList == NULL)
     {
     if (td->splitTables == NULL)
         {
-	sprintf(query, "select count(*) from %s", td->name);
+	sqlSafef(query, sizeof query, "select count(*) from %s", td->name);
 	acc = sqlQuickNum(conn, query);
 	}
     else
         {
 	for (n = td->splitTables; n != NULL; n = n->next)
 	    {
-	    sprintf(query, "select count(*) from %s", n->name);
+	    sqlSafef(query, sizeof query, "select count(*) from %s", n->name);
 	    acc += sqlQuickNum(conn, query);
 	    }
 	}
     }
 else
     {
     for (segment = segmentList; segment != NULL; segment = segment->next)
 	{
 	if (segment->wholeThing)
 	    {
 	    if (td->splitTables == NULL)
 	        {
-		sprintf(query, "select count(*) from %s where %s = '%s'", 
+		sqlSafef(query, sizeof query, "select count(*) from %s where %s = '%s'", 
 			td->name, td->chromField, segment->seq);
 		acc += sqlQuickNum(conn, query);
 		}
 	    else
 	        {
 		sprintf(chrTable, "%s_%s", segment->seq, td->name);
 		if (sqlTableExists(conn, chrTable))
 		    {
-		    sprintf(query, "select count(*) from %s", 
+		    sqlSafef(query, sizeof query, "select count(*) from %s", 
 			    chrTable);
 		    acc += sqlQuickNum(conn, query);
 		    }
 		}
 	    }
 	else
 	    {
 	    if (td->splitTables == NULL)
 	        {
-		sprintf(query, "select count(*) from %s where %s = '%s' and %s < %d and %s > %d",
+		sqlSafef(query, sizeof query, "select count(*) from %s where %s = '%s' and %s < %d and %s > %d",
 		     td->name, td->chromField, segment->seq,
 		     td->startField, segment->end, td->endField, segment->start);
 		acc += sqlQuickNum(conn, query);
 		}
 	    else
 	        {
 		sprintf(chrTable, "%s_%s", segment->seq, td->name);
 		if (sqlTableExists(conn, chrTable))
 		    {
-		    sprintf(query, "select count(*) from %s where %s < %d and %s > %d", chrTable, 
+		    sqlSafef(query, sizeof query, "select count(*) from %s where %s < %d and %s > %d", chrTable, 
 			 td->startField, segment->end, td->endField, segment->start);
 		    acc += sqlQuickNum(conn, query);
 		    }
 		}
 	    }
 	}
     }
 hFreeConn(&conn);
 return acc;
 }
  
 
 static void doTypes()
 /* Handle a types request. */
 {
@@ -949,31 +949,31 @@
 static void doEntryPoints()
 /* Handle entry points request. */
 {
 struct sqlConnection *conn;
 struct sqlResult *sr;
 char **row;
 struct chromInfo *ci;
 
 normalHeader();
 conn = hAllocConn(database);
 printf("<!DOCTYPE DASEP SYSTEM \"http://www.biodas.org/dtd/dasep.dtd\">\n");
 printf("<DASEP>\n");
 printf("<ENTRY_POINTS href=\"%s\" version=\"7.00\">\n",
 	currentUrl());
 
-sr = sqlGetResult(conn, "select * from chromInfo");
+sr = sqlGetResult(conn, "NOSQLINJ select * from chromInfo");
 while ((row = sqlNextRow(sr)) != NULL)
     {
     ci = chromInfoLoad(row);
     /* "chr"-less chromosome ID for clients such as Ensembl: */
     if (startsWith("chr", ci->chrom))
 	printf(" <SEGMENT id=\"%s\" start=\"%d\" stop=\"%d\" orientation=\"+\" subparts=\"no\">%s</SEGMENT>\n", ci->chrom+3, 1, ci->size, ci->chrom+3);
     else
 	printf(" <SEGMENT id=\"%s\" start=\"%d\" stop=\"%d\" orientation=\"+\" subparts=\"no\">%s</SEGMENT>\n", ci->chrom, 1, ci->size, ci->chrom);
     chromInfoFree(&ci);
     }
 
 printf("</ENTRY_POINTS>\n");
 printf("</DASEP>\n");
 }