080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/fishClones/fishClones.c src/hg/fishClones/fishClones.c
index dd41240..afb19ec 100644
--- src/hg/fishClones/fishClones.c
+++ src/hg/fishClones/fishClones.c
@@ -712,31 +712,31 @@
     }
 }
 
 void findAccPosition(struct sqlConnection *conn, struct position *pos, struct fishClone *fc)
 /* Determine the position of an accession */
 {
   char query[256];
   struct sqlResult *sr;
   char **row, *name;
   struct clonePos *cp;
   struct position *newPos;
   struct name *missing;
 
   name = cloneString(pos->name);
   strcat(name, "%"); 
-  safef(query, sizeof(query), "select * from clonePos where name like '%s'", name);
+  sqlSafef(query, sizeof(query), "select * from clonePos where name like '%s'", name);
   sr = sqlGetResult(conn, query);
   if ((row = sqlNextRow(sr)) != NULL) 
     {
       cp = clonePosLoad(row);
       free(pos->name);
       pos->name = cloneString(cp->name);
       pos->chrom = cloneString(cp->chrom);
       pos->start = cp->chromStart;
       pos->end = cp->chromEnd;
       pos->phase = cp->phase;
       clonePosFree(&cp);
       while ((row = sqlNextRow(sr)) != NULL) 
 	{
 	  cp = clonePosLoad(row);
 	  newPos = createPosition(cp->name, "Accession", ' ');
@@ -757,41 +757,41 @@
   sqlFreeResult(&sr);
 }
 
 void findStsPosition(struct sqlConnection *conn, struct position *pos, struct fishClone *fc)
 /* Determine the position of an sts marker */
 {
   struct sqlConnection *conn1 = hAllocConn(sqlGetDatabase(conn));
   char query[256];
   struct sqlResult *sr, *sr1;
   char **row, **row1;
   struct stsAlias *a;
   struct stsMap *s;
   struct position *newPos;
   boolean found = FALSE;
 
-  safef(query, sizeof(query), "select * from stsMap where name = '%s'", pos->name);
+  sqlSafef(query, sizeof(query), "select * from stsMap where name = '%s'", pos->name);
   sr = sqlGetResult(conn, query);
   if ((row = sqlNextRow(sr)) == NULL)
     {
       sqlFreeResult(&sr);
-      safef(query, sizeof(query), "select * from stsAlias where alias = '%s'", pos->name);
+      sqlSafef(query, sizeof(query), "select * from stsAlias where alias = '%s'", pos->name);
       sr1 = sqlGetResult(conn1, query);
       if ((row1 = sqlNextRow(sr1)) != NULL)
 	{
 	  a = stsAliasLoad(row1);
-	  safef(query, sizeof(query), "select * from stsMap where name = '%s'", a->trueName);
+	  sqlSafef(query, sizeof(query), "select * from stsMap where name = '%s'", a->trueName);
 	  stsAliasFree(&a);
 	  sr = sqlGetResult(conn, query);      
 	  if ((row = sqlNextRow(sr)) != NULL)
 	    found = TRUE;
 	}
       sqlFreeResult(&sr1);
     }
   else 
     found = TRUE;
   
   if (found)
     {
       s = stsMapLoad(row);
       pos->chrom = cloneString(s->chrom);
       pos->start = s->chromStart;
@@ -809,31 +809,31 @@
 	}
     }
   sqlFreeResult(&sr);
   hFreeConn(&conn1);
 }
 
 void findBacEndPairPosition(struct sqlConnection *conn, struct fishClone *fc)
 /* Determine the positions of bac end pairs for a clone */
 {
   char query[256], names[256];
   struct sqlResult *sr;
   char **row;
   struct lfs *be;
   struct position *newPos;
 
-  safef(query, sizeof(query), "select * from bacEndPairs where name = '%s' order by (chromEnd - chromStart)", fc->cloneName);
+  sqlSafef(query, sizeof(query), "select * from bacEndPairs where name = '%s' order by (chromEnd - chromStart)", fc->cloneName);
   sr = sqlGetResult(conn, query);
   while ((row = sqlNextRow(sr)) != NULL)
     {
       be = lfsLoad(row+1);
       safef(names, sizeof(names), "%s,%s", be->lfNames[0], be->lfNames[1]);
       newPos = createPosition(names, "BAC End Pair", ' ');
       newPos->chrom = cloneString(be->chrom);
       newPos->start = be->chromStart;
       newPos->end = be->chromEnd;
       lfsFree(&be);
       slAddHead(&fc->endPair, newPos);
     }
   sqlFreeResult(&sr);
 }