080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/hgBlatTest/hgBlatTest.c src/hg/hgBlatTest/hgBlatTest.c
index 623e0f0..ecab086 100644
--- src/hg/hgBlatTest/hgBlatTest.c
+++ src/hg/hgBlatTest/hgBlatTest.c
@@ -121,31 +121,30 @@
 char *nearStartTablePat = "<!-- Start Rows -->";
 char *nearEndTablePat = "<!-- End Rows -->";
 char *nearEndRowPat = "<!-- Row -->";
 
 int nearCountRows(struct htmlPage *page)
 /* Count number of rows in big table. */
 {
 return qaCountBetween(page->htmlText, nearStartTablePat,
 	nearEndTablePat, nearEndRowPat);
 }
 
 int nearCountUniqAccRows(struct htmlPage *page)
 /* Count number of unique rows in table containing just hyperlinked 
  * accessions. */
 {
-char *startTable, *endTable, *startRow;
 char *s, *e, *row, *acc;
 int count = 0;
 struct hash *uniqHash = hashNew(0);
 
 if (page == NULL)
     return -1;
 
 /* Set s to first row. */
 s = stringIn(nearStartTablePat, page->htmlText);
 if (s == NULL)
     return -1;
 s += strlen(nearStartTablePat);
 
 for (;;)
     {
@@ -211,32 +210,30 @@
     }
 }
 
 void quickErrReport()
 /* Report error at head of list if any */
 {
 struct blatTest *test = blatTestList;
 if (test->status->errMessage != NULL)
     blatTestLogOne(test, stderr);
 }
 
 void testCol(struct htmlPage *emptyConfig, char *org, char *db, char *col, char *gene)
 /* Test one column. */
 {
 struct htmlPage *printPage = NULL;
-struct blatTest *test;
-struct qaStatus *qs;
 char visVar[256];
 safef(visVar, sizeof(visVar), "near.col.%s.vis", col);
 htmlPageSetVar(emptyConfig, NULL, visVar, "on");
 htmlPageSetVar(emptyConfig, NULL, orderVarName, "geneDistance");
 htmlPageSetVar(emptyConfig, NULL, countVarName, "25");
 
 //printPage = quickSubmit(emptyConfig, NULL, org, db, col, gene, "colPrint", "Submit", "on");
 if (printPage != NULL)
     {
     int expectCount = 25;
     int lineCount = nearCountRows(printPage);
     if (lineCount != expectCount)
 	qaStatusSoftError(blatTestList->status, 
 		"Got %d rows, expected %d", lineCount, expectCount);
     }
@@ -329,31 +326,30 @@
     int lineCount = nearCountRows(printPage);
     if (lineCount < 1)
 	qaStatusSoftError(blatTestList->status, "No rows for sort %s", sort);
     }
 quickErrReport();
 htmlPageFree(&printPage);
 }
 
 
 
 void testDbSorts(struct htmlPage *dbPage, char *org, char *db, 
 	char *accColumn, struct slName *geneList)
 /* Test on one database. */
 {
 struct htmlPage *emptyConfig;
-struct slName *colList = NULL, *col;
 struct htmlFormVar *sortVar = htmlFormVarGet(dbPage->forms, orderVarName);
 struct slName *gene, *sort;
 
 uglyf("testDbSorts %s %s\n", org, db);
 if (sortVar == NULL)
     errAbort("Couldn't find var %s", orderVarName);
 
 emptyConfig = emptyConfigPage(dbPage, org, db);
 if (emptyConfig != NULL)
     {
     for (sort = sortVar->values; sort != NULL; sort= sort->next)
 	{
 	for (gene = geneList; gene != NULL; gene = gene->next)
 	    {
 	    testSortX(emptyConfig, org, db, sort->name, gene->name, accColumn);
@@ -621,45 +617,45 @@
     if (section)
 	{
 	if (sameWord(section,targ))
 	    {
     	    result=raHash;
 	    }
 	}
     }
 freez(&targ);
 return result;
 }
 
 void inheritRa(char **pvar, struct hash *ra, char *name)
 /* override previous value if non-null value found */
 {
-char *temp=NULL;
-if (temp = hashFindVal(ra, name))
+char *temp = hashFindVal(ra, name);
+if (temp)
     {
     *pvar = temp;
     }
 }
 
 char *getFieldWhereField(char *db, char *table, char *field, char *whereField, char *whereValue)
 /* Get random sample from database. */
 {
 struct sqlConnection *conn = sqlConnect(db);
 char query[256], **row;
 struct sqlResult *sr;
 char *result=NULL;
-safef(query, sizeof(query), "select %s from %s where %s = '%s'", 
+sqlSafef(query, sizeof(query), "select %s from %s where %s = '%s'", 
 	field, table, whereField, whereValue);
 sr = sqlGetResult(conn, query);
 if ((row = sqlNextRow(sr)) != NULL)
     {
     result = cloneString(row[0]);
     }
 sqlFreeResult(&sr);
 sqlDisconnect(&conn);
 return result;
 }
 
 
 int genePredCdnaSize(struct genePred *gp)
 /* Return total size of all exons. */
 {
@@ -672,31 +668,31 @@
     }
 return totalSize;
 }
 
 
 
 struct dnaSeq *hDnaFromSeqD(char *db, char *seqName, int start, int end, enum dnaCase dnaCase)
 /* Fetch DNA (galt added db) */
 {
 char fileName[512];
 char query[512];
 struct dnaSeq *seq = NULL;
 struct sqlConnection *conn = sqlConnect(db);
 struct sqlResult *sr;
 char **row;
-safef(query, sizeof(query), "select fileName from chromInfo where chrom='%s'", seqName);
+sqlSafef(query, sizeof(query), "select fileName from chromInfo where chrom='%s'", seqName);
 sr = sqlGetResult(conn, query);
 if ((row = sqlNextRow(sr)) != NULL)
     {
     safef(fileName,sizeof(fileName),"%s",row[0]);
     }
 sqlFreeResult(&sr);
 sqlDisconnect(&conn);
 seq = nibLoadPart(fileName, start, end-start);
 if (dnaCase == dnaUpper)
     touppers(seq->dna);
 return seq;
 }
 
 
 struct dnaSeq *getCdnaSeqD(char *db, struct genePred *gp)
@@ -748,31 +744,31 @@
 
 struct dnaSeq *htcGeneMrna(char *db, char * table, char *geneName)
 /* Display cDNA predicted from genome */
 {
 char query[512];
 struct sqlConnection *conn = sqlConnect(db);
 struct sqlResult *sr;
 char **row;
 struct genePred *gp;
 struct dnaSeq *seq=NULL;
 int cdsStart, cdsEnd;
 int rowOffset = 0;
 char *fld=NULL;
 int f = 0;
 
-safef(query, sizeof(query), "select * from %s where name = '%s'", table, geneName);
+sqlSafef(query, sizeof(query), "select * from %s where name = '%s'", table, geneName);
 sr = sqlGetResult(conn, query);
 while ((fld = sqlFieldName(sr)) != NULL)
     {
     if (sameString(fld,"bin"))
 	{
 	rowOffset = f+1;
 	}
     f++;
     }
 uglyf("rowOffset=%d \n",rowOffset);    
 								
 if ((row = sqlNextRow(sr)) != NULL)
     {
     gp = genePredLoad(row+rowOffset);
     seq = getCdnaSeqD(db, gp);
@@ -793,31 +789,30 @@
 									    
 
 
 void testDb(struct htmlPage *orgPage, struct htmlForm *orgForm, char *org, char *db)
 /* Test on one database. */
 {
 
 struct hash *genomeRa=NULL;
 char *dnaTable = NULL;
 char *lnkTable = NULL;
 char *proTable = NULL;
 char *dnaColumn = NULL;
 char *lnkColumn = NULL;
 char *proColumn = NULL;
 char *method = NULL;
-char *temp = NULL;
 
 genomeRa=findRaSection(raList,"global");
 if (!genomeRa)
     {
     errAbort("testDb: .ra has no global section \n");
     }
 inheritRa(&dnaTable,  genomeRa, "dna");
 inheritRa(&lnkTable,  genomeRa, "lnk");
 inheritRa(&proTable,  genomeRa, "pro");
 inheritRa(&dnaColumn, genomeRa, "dnaColumn");
 inheritRa(&lnkColumn, genomeRa, "lnkColumn");
 inheritRa(&proColumn, genomeRa, "proColumn");
 inheritRa(&method,    genomeRa, "method");
 
 genomeRa=findRaSection(raList,org);   
@@ -916,35 +911,33 @@
 else if (sameWord(method,"2"))
     geneList = sqlRandomSample(db, proTable, dnaColumn, clRepeat);
 else
     errAbort("unknown method %s in .ra",method);
 
 if (!geneList)
     {
     uglyf("testDb: sqlRandomSample returned empty geneList for %s.%s \n",db,dnaTable);
     return;
     }
 
 struct htmlPage *dbPage;
 
 //debug
     struct dyString *dy = newDyString(0);
-    int geneCount = slCount(geneList);
     struct slName *gene;
     //char *dna = NULL;
     //HGID retId = 0;
-    char *tempdna = NULL;
     struct dnaSeq *dnaseq=NULL;
     aaSeq *proseq=NULL;
 
     struct sqlConnection *conn = hAllocOrConnect(db);
 
     uglyf("sqlGetDatabase(conn) = %s\n", sqlGetDatabase(conn) );
 
     //uglyf("host=%s, db=%s, user=%s, pwd=%s \n", hGetDbHost(), hGetDbName(), hGetDbUser(), hGetDbPassword());
     
     char *acc = NULL;
     int g = 0;
     for (gene = geneList; gene != NULL; gene = gene->next)
 	{
 
 	//uglyf("testDb: got to top of geneList loop for %s.%s \n",db,dnaTable);