080a160c7b9595d516c9c70e83689a09b60839d0 galt Mon Jun 3 12:16:53 2013 -0700 fix SQL Injection diff --git src/hg/hgBlatTest/hgBlatTest.c src/hg/hgBlatTest/hgBlatTest.c index 623e0f0..ecab086 100644 --- src/hg/hgBlatTest/hgBlatTest.c +++ src/hg/hgBlatTest/hgBlatTest.c @@ -121,31 +121,30 @@ char *nearStartTablePat = "<!-- Start Rows -->"; char *nearEndTablePat = "<!-- End Rows -->"; char *nearEndRowPat = "<!-- Row -->"; int nearCountRows(struct htmlPage *page) /* Count number of rows in big table. */ { return qaCountBetween(page->htmlText, nearStartTablePat, nearEndTablePat, nearEndRowPat); } int nearCountUniqAccRows(struct htmlPage *page) /* Count number of unique rows in table containing just hyperlinked * accessions. */ { -char *startTable, *endTable, *startRow; char *s, *e, *row, *acc; int count = 0; struct hash *uniqHash = hashNew(0); if (page == NULL) return -1; /* Set s to first row. */ s = stringIn(nearStartTablePat, page->htmlText); if (s == NULL) return -1; s += strlen(nearStartTablePat); for (;;) { @@ -211,32 +210,30 @@ } } void quickErrReport() /* Report error at head of list if any */ { struct blatTest *test = blatTestList; if (test->status->errMessage != NULL) blatTestLogOne(test, stderr); } void testCol(struct htmlPage *emptyConfig, char *org, char *db, char *col, char *gene) /* Test one column. */ { struct htmlPage *printPage = NULL; -struct blatTest *test; -struct qaStatus *qs; char visVar[256]; safef(visVar, sizeof(visVar), "near.col.%s.vis", col); htmlPageSetVar(emptyConfig, NULL, visVar, "on"); htmlPageSetVar(emptyConfig, NULL, orderVarName, "geneDistance"); htmlPageSetVar(emptyConfig, NULL, countVarName, "25"); //printPage = quickSubmit(emptyConfig, NULL, org, db, col, gene, "colPrint", "Submit", "on"); if (printPage != NULL) { int expectCount = 25; int lineCount = nearCountRows(printPage); if (lineCount != expectCount) qaStatusSoftError(blatTestList->status, "Got %d rows, expected %d", lineCount, expectCount); } @@ -329,31 +326,30 @@ int lineCount = nearCountRows(printPage); if (lineCount < 1) qaStatusSoftError(blatTestList->status, "No rows for sort %s", sort); } quickErrReport(); htmlPageFree(&printPage); } void testDbSorts(struct htmlPage *dbPage, char *org, char *db, char *accColumn, struct slName *geneList) /* Test on one database. */ { struct htmlPage *emptyConfig; -struct slName *colList = NULL, *col; struct htmlFormVar *sortVar = htmlFormVarGet(dbPage->forms, orderVarName); struct slName *gene, *sort; uglyf("testDbSorts %s %s\n", org, db); if (sortVar == NULL) errAbort("Couldn't find var %s", orderVarName); emptyConfig = emptyConfigPage(dbPage, org, db); if (emptyConfig != NULL) { for (sort = sortVar->values; sort != NULL; sort= sort->next) { for (gene = geneList; gene != NULL; gene = gene->next) { testSortX(emptyConfig, org, db, sort->name, gene->name, accColumn); @@ -621,45 +617,45 @@ if (section) { if (sameWord(section,targ)) { result=raHash; } } } freez(&targ); return result; } void inheritRa(char **pvar, struct hash *ra, char *name) /* override previous value if non-null value found */ { -char *temp=NULL; -if (temp = hashFindVal(ra, name)) +char *temp = hashFindVal(ra, name); +if (temp) { *pvar = temp; } } char *getFieldWhereField(char *db, char *table, char *field, char *whereField, char *whereValue) /* Get random sample from database. */ { struct sqlConnection *conn = sqlConnect(db); char query[256], **row; struct sqlResult *sr; char *result=NULL; -safef(query, sizeof(query), "select %s from %s where %s = '%s'", +sqlSafef(query, sizeof(query), "select %s from %s where %s = '%s'", field, table, whereField, whereValue); sr = sqlGetResult(conn, query); if ((row = sqlNextRow(sr)) != NULL) { result = cloneString(row[0]); } sqlFreeResult(&sr); sqlDisconnect(&conn); return result; } int genePredCdnaSize(struct genePred *gp) /* Return total size of all exons. */ { @@ -672,31 +668,31 @@ } return totalSize; } struct dnaSeq *hDnaFromSeqD(char *db, char *seqName, int start, int end, enum dnaCase dnaCase) /* Fetch DNA (galt added db) */ { char fileName[512]; char query[512]; struct dnaSeq *seq = NULL; struct sqlConnection *conn = sqlConnect(db); struct sqlResult *sr; char **row; -safef(query, sizeof(query), "select fileName from chromInfo where chrom='%s'", seqName); +sqlSafef(query, sizeof(query), "select fileName from chromInfo where chrom='%s'", seqName); sr = sqlGetResult(conn, query); if ((row = sqlNextRow(sr)) != NULL) { safef(fileName,sizeof(fileName),"%s",row[0]); } sqlFreeResult(&sr); sqlDisconnect(&conn); seq = nibLoadPart(fileName, start, end-start); if (dnaCase == dnaUpper) touppers(seq->dna); return seq; } struct dnaSeq *getCdnaSeqD(char *db, struct genePred *gp) @@ -748,31 +744,31 @@ struct dnaSeq *htcGeneMrna(char *db, char * table, char *geneName) /* Display cDNA predicted from genome */ { char query[512]; struct sqlConnection *conn = sqlConnect(db); struct sqlResult *sr; char **row; struct genePred *gp; struct dnaSeq *seq=NULL; int cdsStart, cdsEnd; int rowOffset = 0; char *fld=NULL; int f = 0; -safef(query, sizeof(query), "select * from %s where name = '%s'", table, geneName); +sqlSafef(query, sizeof(query), "select * from %s where name = '%s'", table, geneName); sr = sqlGetResult(conn, query); while ((fld = sqlFieldName(sr)) != NULL) { if (sameString(fld,"bin")) { rowOffset = f+1; } f++; } uglyf("rowOffset=%d \n",rowOffset); if ((row = sqlNextRow(sr)) != NULL) { gp = genePredLoad(row+rowOffset); seq = getCdnaSeqD(db, gp); @@ -793,31 +789,30 @@ void testDb(struct htmlPage *orgPage, struct htmlForm *orgForm, char *org, char *db) /* Test on one database. */ { struct hash *genomeRa=NULL; char *dnaTable = NULL; char *lnkTable = NULL; char *proTable = NULL; char *dnaColumn = NULL; char *lnkColumn = NULL; char *proColumn = NULL; char *method = NULL; -char *temp = NULL; genomeRa=findRaSection(raList,"global"); if (!genomeRa) { errAbort("testDb: .ra has no global section \n"); } inheritRa(&dnaTable, genomeRa, "dna"); inheritRa(&lnkTable, genomeRa, "lnk"); inheritRa(&proTable, genomeRa, "pro"); inheritRa(&dnaColumn, genomeRa, "dnaColumn"); inheritRa(&lnkColumn, genomeRa, "lnkColumn"); inheritRa(&proColumn, genomeRa, "proColumn"); inheritRa(&method, genomeRa, "method"); genomeRa=findRaSection(raList,org); @@ -916,35 +911,33 @@ else if (sameWord(method,"2")) geneList = sqlRandomSample(db, proTable, dnaColumn, clRepeat); else errAbort("unknown method %s in .ra",method); if (!geneList) { uglyf("testDb: sqlRandomSample returned empty geneList for %s.%s \n",db,dnaTable); return; } struct htmlPage *dbPage; //debug struct dyString *dy = newDyString(0); - int geneCount = slCount(geneList); struct slName *gene; //char *dna = NULL; //HGID retId = 0; - char *tempdna = NULL; struct dnaSeq *dnaseq=NULL; aaSeq *proseq=NULL; struct sqlConnection *conn = hAllocOrConnect(db); uglyf("sqlGetDatabase(conn) = %s\n", sqlGetDatabase(conn) ); //uglyf("host=%s, db=%s, user=%s, pwd=%s \n", hGetDbHost(), hGetDbName(), hGetDbUser(), hGetDbPassword()); char *acc = NULL; int g = 0; for (gene = geneList; gene != NULL; gene = gene->next) { //uglyf("testDb: got to top of geneList loop for %s.%s \n",db,dnaTable);