080a160c7b9595d516c9c70e83689a09b60839d0 galt Mon Jun 3 12:16:53 2013 -0700 fix SQL Injection diff --git src/hg/hgGene/dnaBindMotif.c src/hg/hgGene/dnaBindMotif.c index d3c6726..17cd370 100644 --- src/hg/hgGene/dnaBindMotif.c +++ src/hg/hgGene/dnaBindMotif.c @@ -5,59 +5,59 @@ #include "hash.h" #include "linefile.h" #include "jksql.h" #include "dnaMotif.h" #include "dnaMotifSql.h" #include "hui.h" #include "portable.h" #include "hgGene.h" static char *orfToGene(struct sqlConnection *conn, char *orf) /* Return gene name of given orf, or NULL if it * doesn't exist. */ { char gene[256]; char query[256]; -safef(query, sizeof(query), "select value from sgdToName where name = '%s'", +sqlSafef(query, sizeof(query), "select value from sgdToName where name = '%s'", orf); if (sqlQuickQuery(conn, query, gene, sizeof(gene)) == NULL) return NULL; return cloneString(gene); } static boolean transRegCodeMotifExists(struct section *section, struct sqlConnection *conn, char *geneId) /* Return TRUE if tables exists and have our gene. */ { char *gene; if (!sqlTableExists(conn, "transRegCodeMotif")) return FALSE; if (!sqlTableExists(conn, "sgdToName")) return FALSE; gene = orfToGene(conn, geneId); if (gene == NULL) return FALSE; return sqlRowExists(conn, "transRegCodeMotif", "name", gene); } struct dnaMotif *dnaMotifLoadNamed(struct sqlConnection *conn, char *table, char *name) /* Load motif of given name from table. Return NULL if no such * motif. */ { char where[256]; -safef(where, sizeof(where), "name='%s'", name); +sqlSafefFrag(where, sizeof(where), "name='%s'", name); return dnaMotifLoadWhere(conn, table, where); } struct dnaMotif *transRegMotif(struct sqlConnection *conn, char *geneId) /* Get motif for gene, NULL if none. */ { struct dnaMotif *motif = NULL; char *gene = orfToGene(conn, geneId); if (gene != NULL) motif = dnaMotifLoadNamed(conn, "transRegCodeMotif", gene); return motif; } static void transRegCodeMotifPrint(struct section *section, struct sqlConnection *conn, char *geneId)