080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/hgBlat/hgBlat.c src/hg/hgBlat/hgBlat.c
index 5f172eb..5706e92 100644
--- src/hg/hgBlat/hgBlat.c
+++ src/hg/hgBlat/hgBlat.c
@@ -48,40 +48,40 @@
 int minMatchShown = 20;
 #endif
 
 struct serverTable *findServer(char *db, boolean isTrans)
 /* Return server for given database.  Db can either be
  * database name or description. */
 {
 static struct serverTable st;
 struct sqlConnection *conn = hConnectCentral();
 char query[256];
 struct sqlResult *sr;
 char **row;
 char dbActualName[32];
 
 /* If necessary convert database description to name. */
-safef(query, sizeof(query), "select name from dbDb where name = '%s'", db);
+sqlSafef(query, sizeof(query), "select name from dbDb where name = '%s'", db);
 if (!sqlExists(conn, query))
     {
-    sprintf(query, "select name from dbDb where description = '%s'", db);
+    sqlSafef(query, sizeof(query), "select name from dbDb where description = '%s'", db);
     if (sqlQuickQuery(conn, query, dbActualName, sizeof(dbActualName)) != NULL)
         db = dbActualName;
     }
 
 /* Do a little join to get data to fit into the serverTable. */
-safef(query, sizeof(query), "select dbDb.name,dbDb.description,blatServers.isTrans"
+sqlSafef(query, sizeof(query), "select dbDb.name,dbDb.description,blatServers.isTrans"
                ",blatServers.host,blatServers.port,dbDb.nibPath "
 	       "from dbDb,blatServers where blatServers.isTrans = %d and "
 	       "dbDb.name = '%s' and dbDb.name = blatServers.db", 
 	       isTrans, db);
 sr = sqlGetResult(conn, query);
 if ((row = sqlNextRow(sr)) == NULL)
     {
     errAbort("Can't find a server for %s database %s.  Click "
 	     "<A HREF=\"/cgi-bin/hgBlat?%s&command=start&db=%s\">here</A> "
 	     "to reset to default database.",
 	     (isTrans ? "translated" : "DNA"), db,
 	     cartSidUrlString(cart), hDefaultDb());
     }
 st.db = cloneString(row[0]);
 st.genome = cloneString(row[1]);
@@ -89,39 +89,39 @@
 st.host = cloneString(row[3]);
 st.port = cloneString(row[4]);
 st.nibDir = cloneString(row[5]);
 sqlFreeResult(&sr);
 hDisconnectCentral(&conn);
 return &st;
 }
 
 void findClosestServer(char **pDb, char **pOrg)
 /* If db doesn't have a blat server, look for the closest db (or org) that has one,
  * as hgPcr does. */
 {
 char *db = *pDb, *org = *pOrg;
 struct sqlConnection *conn = hConnectCentral();
 char query[256];
-safef(query, sizeof(query), "select db from blatServers where db = '%s'", db);
+sqlSafef(query, sizeof(query), "select db from blatServers where db = '%s'", db);
 if (!sqlExists(conn, query))
     {
-    safef(query, sizeof(query), "select blatServers.db from blatServers,dbDb "
+    sqlSafef(query, sizeof(query), "select blatServers.db from blatServers,dbDb "
 	  "where blatServers.db = dbDb.name and dbDb.genome = '%s'", org);
     char *db = sqlQuickString(conn, query);
     if (db == NULL)
 	{
-	safef(query, sizeof(query), "select blatServers.db from blatServers,dbDb "
+	sqlSafef(query, sizeof(query), "select blatServers.db from blatServers,dbDb "
 	      "where blatServers.db = dbDb.name order by dbDb.orderKey,dbDb.name desc");
 	char *db = sqlQuickString(conn, query);
 	if (db == NULL)
 	    errAbort("central database tables blatServers and dbDb are disjoint/empty");
 	else
 	    {
 	    *pDb = db;
 	    *pOrg = hGenome(db);
 	    }
 	}
     else
 	{
 	*pDb = db;
 	*pOrg = hGenome(db);
 	}