080a160c7b9595d516c9c70e83689a09b60839d0 galt Mon Jun 3 12:16:53 2013 -0700 fix SQL Injection diff --git src/hg/fishClones/fishClones.c src/hg/fishClones/fishClones.c index dd41240..afb19ec 100644 --- src/hg/fishClones/fishClones.c +++ src/hg/fishClones/fishClones.c @@ -712,31 +712,31 @@ } } void findAccPosition(struct sqlConnection *conn, struct position *pos, struct fishClone *fc) /* Determine the position of an accession */ { char query[256]; struct sqlResult *sr; char **row, *name; struct clonePos *cp; struct position *newPos; struct name *missing; name = cloneString(pos->name); strcat(name, "%"); - safef(query, sizeof(query), "select * from clonePos where name like '%s'", name); + sqlSafef(query, sizeof(query), "select * from clonePos where name like '%s'", name); sr = sqlGetResult(conn, query); if ((row = sqlNextRow(sr)) != NULL) { cp = clonePosLoad(row); free(pos->name); pos->name = cloneString(cp->name); pos->chrom = cloneString(cp->chrom); pos->start = cp->chromStart; pos->end = cp->chromEnd; pos->phase = cp->phase; clonePosFree(&cp); while ((row = sqlNextRow(sr)) != NULL) { cp = clonePosLoad(row); newPos = createPosition(cp->name, "Accession", ' '); @@ -757,41 +757,41 @@ sqlFreeResult(&sr); } void findStsPosition(struct sqlConnection *conn, struct position *pos, struct fishClone *fc) /* Determine the position of an sts marker */ { struct sqlConnection *conn1 = hAllocConn(sqlGetDatabase(conn)); char query[256]; struct sqlResult *sr, *sr1; char **row, **row1; struct stsAlias *a; struct stsMap *s; struct position *newPos; boolean found = FALSE; - safef(query, sizeof(query), "select * from stsMap where name = '%s'", pos->name); + sqlSafef(query, sizeof(query), "select * from stsMap where name = '%s'", pos->name); sr = sqlGetResult(conn, query); if ((row = sqlNextRow(sr)) == NULL) { sqlFreeResult(&sr); - safef(query, sizeof(query), "select * from stsAlias where alias = '%s'", pos->name); + sqlSafef(query, sizeof(query), "select * from stsAlias where alias = '%s'", pos->name); sr1 = sqlGetResult(conn1, query); if ((row1 = sqlNextRow(sr1)) != NULL) { a = stsAliasLoad(row1); - safef(query, sizeof(query), "select * from stsMap where name = '%s'", a->trueName); + sqlSafef(query, sizeof(query), "select * from stsMap where name = '%s'", a->trueName); stsAliasFree(&a); sr = sqlGetResult(conn, query); if ((row = sqlNextRow(sr)) != NULL) found = TRUE; } sqlFreeResult(&sr1); } else found = TRUE; if (found) { s = stsMapLoad(row); pos->chrom = cloneString(s->chrom); pos->start = s->chromStart; @@ -809,31 +809,31 @@ } } sqlFreeResult(&sr); hFreeConn(&conn1); } void findBacEndPairPosition(struct sqlConnection *conn, struct fishClone *fc) /* Determine the positions of bac end pairs for a clone */ { char query[256], names[256]; struct sqlResult *sr; char **row; struct lfs *be; struct position *newPos; - safef(query, sizeof(query), "select * from bacEndPairs where name = '%s' order by (chromEnd - chromStart)", fc->cloneName); + sqlSafef(query, sizeof(query), "select * from bacEndPairs where name = '%s' order by (chromEnd - chromStart)", fc->cloneName); sr = sqlGetResult(conn, query); while ((row = sqlNextRow(sr)) != NULL) { be = lfsLoad(row+1); safef(names, sizeof(names), "%s,%s", be->lfNames[0], be->lfNames[1]); newPos = createPosition(names, "BAC End Pair", ' '); newPos->chrom = cloneString(be->chrom); newPos->start = be->chromStart; newPos->end = be->chromEnd; lfsFree(&be); slAddHead(&fc->endPair, newPos); } sqlFreeResult(&sr); }