080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/getFeatDna/getFeatDna.c src/hg/getFeatDna/getFeatDna.c
index d256d7d..fe30f2a 100644
--- src/hg/getFeatDna/getFeatDna.c
+++ src/hg/getFeatDna/getFeatDna.c
@@ -132,89 +132,89 @@
     {
     seq = hLoadChrom(database, chrom);
     dna = seq->dna;
     size = seq->size;
     }
 else
     {
     hNibForChrom(database, chrom, nibFileName);
     nibOpenVerify(nibFileName, &nibFile, &nibSize);
     }
 
 if (breakUp)
     {
     if (sameString(startField, "tStart"))
 	{
-	dyStringPrintf(query, "select * from %s where tStart >= %d and tEnd < %d",
+	sqlDyStringPrintf(query, "select * from %s where tStart >= %d and tEnd < %d",
 	    table, chromStart, chromEnd);
 	dyStringPrintf(query, " and %s = '%s'", chromField, chrom);
 	if (where != NULL)
 	    dyStringPrintf(query, " and %s", where);
 	sr = sqlGetResult(conn, query->string);
 	while ((row = sqlNextRow(sr)) != NULL)
 	    {
 	    struct psl *psl = pslLoad(row);
 	    if (psl->strand[1] == '-')	/* Minus strand on target */
 		{
 		int tSize = psl->tSize;
 		for (i=0; i<psl->blockCount; ++i)
 		     {
 		     sz = psl->blockSizes[i];
 		     s = tSize - (psl->tStarts[i] + sz);
 		     outputDna(f, chrom, table, 
 		         s, sz, dna, nibFileName, nibFile, nibSize, '-', NULL);
 		     }
 		}
 	    else
 		{
 		for (i=0; i<psl->blockCount; ++i)
 		     outputDna(f, chrom, table, psl->tStarts[i], psl->blockSizes[i], 
 			    dna, nibFileName, nibFile, nibSize, '+', NULL);
 		}
 	    pslFree(&psl);
 	    }
 	}
     else if (sameString(startField, "txStart"))
         {
-	dyStringPrintf(query, "select * from %s where txStart >= %d and txEnd < %d",
+	sqlDyStringPrintf(query, "select * from %s where txStart >= %d and txEnd < %d",
 	    table, chromStart, chromEnd);
 	dyStringPrintf(query, " and %s = '%s'", chromField, chrom);
 	if (where != NULL)
 	    dyStringPrintf(query, " and %s", where);
 	sr = sqlGetResult(conn, query->string);
 	while ((row = sqlNextRow(sr)) != NULL)
 	    {
 	    struct genePred *gp = genePredLoad(row);
 	    for (i=0; i<gp->exonCount; ++i)
 		 {
 		 s = gp->exonStarts[i];
 		 sz = gp->exonEnds[i] - s;
 		 outputDna(f, chrom, table, 
 		    s, sz, dna, nibFileName, nibFile, nibSize, 
 		    gp->strand[0], gp->name);
 		 }
 	    genePredFree(&gp);
 	    }
 	}
     else
         {
         errAbort("Can only use breakUp parameter with psl or genePred formatted tables");
 	}
     }
 else
     {
-    dyStringPrintf(query, "select %s,%s from %s where %s >= %d and %s < %d", 
+    sqlDyStringPrintf(query, "select %s,%s from %s where %s >= %d and %s < %d", 
 	    startField, endField, table,
 	    startField, chromStart, endField, chromEnd);
     dyStringPrintf(query, " and %s = '%s'", chromField, chrom);
     if (where != NULL)
 	dyStringPrintf(query, " and %s", where);
     sr = sqlGetResult(conn, query->string);
     while ((row = sqlNextRow(sr)) != NULL)
 	{
 	s = sqlUnsigned(row[0]);
 	e = sqlUnsigned(row[1]);
 	sz = e - s;
 	if (seq != NULL && (sz < 0 || e >= size))
 	    errAbort("Coordinates out of range %d %d (%s size is %d)", s, e, chrom, size);
 	outputDna(f, chrom, table, s, sz, dna, nibFileName, nibFile, nibSize, 
 		'+', NULL);