080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/hgGene/flyBaseInfo.c src/hg/hgGene/flyBaseInfo.c
index 8752c7e..df9a456 100644
--- src/hg/hgGene/flyBaseInfo.c
+++ src/hg/hgGene/flyBaseInfo.c
@@ -15,60 +15,60 @@
 /* Return true if organism is D. melanogaster. */
 {
 return(sameWord(hOrganism(database), "D. melanogaster"));
 }
 
 char *getFlyBaseId(struct sqlConnection *conn, char *geneId)
 /* Return flyBase ID of gene if any. */
 {
 if (sqlTableExists(conn, "bdgpGeneInfo"))
     {
     char query[256];
     char *cutId = cloneString(geneId);
     char *e = strchr(cutId, '-');
     if (e != NULL) 
 	*e = 0;
-    safef(query, sizeof(query), 
+    sqlSafef(query, sizeof(query), 
 	  "select flyBaseId from bdgpGeneInfo where bdgpName = '%s'", cutId);
     freeMem(cutId);
     return sqlQuickString(conn, query);
     }
 else if (sqlTableExists(conn, "flyBase2004Xref"))
     {
     char query[256];
-    safef(query, sizeof(query),
+    sqlSafef(query, sizeof(query),
 	  "select fbgn from flyBase2004Xref where name = '%s'", geneId);
     return sqlQuickString(conn, query);
     }
 return NULL;
 }
 
 static boolean flyBaseInfoExists(struct section *section, 
 	struct sqlConnection *conn, char *geneId)
 /* Return TRUE if flyBase info tables exist. */
 {
 char *flyBaseId = getFlyBaseId(conn, geneId);
 char query[256];
 int roleCount;
 
 if (flyBaseId == NULL)
     return FALSE;
 if (!sqlTableExists(conn, section->flyBaseTable) )
     return FALSE;
 if (!sqlTablesExist(conn, "fbAllele fbGene fbRef") )
     return FALSE;
-safef(query, sizeof(query), "select count(*) from %s where geneId = '%s'", 
+sqlSafef(query, sizeof(query), "select count(*) from %s where geneId = '%s'", 
 	section->flyBaseTable, flyBaseId);
 roleCount = sqlQuickNum(conn, query);
 freeMem(flyBaseId);
 return roleCount != 0;
 }
 
 struct fbAlleleInfo
 /* Info on allele */
     {
     struct fbAlleleInfo *next;
     int id;	
     struct fbRole *roleList;
     };
 
 static int fbAlleleInfoCmp(const void *va, const void *vb)
@@ -119,74 +119,74 @@
 	   hPrintf("</I>");
 	}
     else
         hPrintf("%c", c);
     }
 if (italic)	/* Just in case turn off. */
     hPrintf("</I>");
 }
 
 
 static void printCite(struct sqlConnection *conn, int id)
 /* Print out reference info. */
 {
 char query[256];
 char *refText;
-safef(query, sizeof(query), "select text from fbRef where id=%d", id);
+sqlSafef(query, sizeof(query), "select text from fbRef where id=%d", id);
 refText = sqlQuickString(conn, query);
 if (refText != NULL)
     {
     char *s = refText;
     if (startsWith("FBrf", refText))
         {
 	char *e = stringIn("==", s);
 	if (e != NULL)
 	    s = e + 3;
 	}
     hPrintf(" (%s)", s);
     freeMem(refText);
     }
 }
 
 static void flyBaseInfoPrint(struct section *section, 
 	struct sqlConnection *conn, char *geneId)
 /* Print out FlyBase info. */
 {
 char *flyBaseId = getFlyBaseId(conn, geneId);
 char query[256], **row;
 struct sqlResult *sr;
 struct fbAlleleInfo *alleleList = NULL, *allele;
 struct hash *alleleHash = newHash(10);
 struct fbRole *role = NULL;
 
-safef(query, sizeof(query),
+sqlSafef(query, sizeof(query),
 	"select * from %s where geneId='%s'", section->flyBaseTable, flyBaseId);
 sr = sqlGetResult(conn, query);
 while ((row = sqlNextRow(sr)) != NULL)
     {
     role = fbRoleLoad(row);
     addToAllele(alleleHash, &alleleList, role->fbAllele, role);
     }
 sqlFreeResult(&sr);
 
 slSort(&alleleList, fbAlleleInfoCmp);
 for (allele = alleleList; allele != NULL; allele = allele->next)
     {
     char *alleleName = NULL;
     if (allele->id != 0)
         {
-	safef(query, sizeof(query), 
+	sqlSafef(query, sizeof(query), 
 		"select name from fbAllele where id=%d", allele->id);
 	alleleName = sqlQuickString(conn, query);
 	if (alleleName != NULL)
 	    hPrintf("<B>Allele %s:</B><BR>\n", alleleName);
 	}
     if (allele->roleList != NULL)
         {
 	hPrintf("<UL>");
 	for (role = allele->roleList; role != NULL; role = role->next)
 	    {
 	    hPrintf("<LI>");
 	    printSubAt(role->text);
 	    printCite(conn, role->fbRef);
 	    hPrintf("\n");
 	    }
@@ -223,59 +223,59 @@
 {
 return flyBaseInfoSection(conn, sectionRa, "flyBasePhenotypes", "fbPhenotype");
 }
 
 static void flyBaseSynonymsPrint(struct section *section, 
 	struct sqlConnection *conn, char *geneId)
 /* Print out flyBase synonyms. */
 {
 char *flyBaseId = getFlyBaseId(conn, geneId);
 char *geneSym = NULL, *geneName = NULL;
 char query[256], **row;
 struct sqlResult *sr;
 
 if (flyBaseId != NULL)
     {
-    safef(query, sizeof(query), 
+    sqlSafef(query, sizeof(query), 
 	    "select geneSym,geneName from fbGene where geneId = '%s'", 
 	    flyBaseId);
     sr = sqlGetResult(conn, query);
     if ((row = sqlNextRow(sr)) != NULL)
 	{
 	if (row[0][0] != 0 && !sameString(row[0], "n/a"))
 	    {
 	    geneSym = cloneString(row[0]);
 	    hPrintf("<B>Symbol:</B> %s ", row[0]);
 	    }
 	if (row[1][0] != 0 && !sameString(row[0], "n/a"))
 	    {
 	    geneName = cloneString(row[1]);
 	    hPrintf("<B>Name:</B> %s ", geneName);
 	    }
 	}
     sqlFreeResult(&sr);
     }
 
 hPrintf("<B>BDGP:</B> %s ", geneId);
 if (flyBaseId != NULL)
     hPrintf("<B>FlyBase:</B> %s ", flyBaseId);
 hPrintf("<BR>\n");
 
 if (flyBaseId != NULL)
     {
     struct slName *synList = NULL, *syn;
-    safef(query, sizeof(query), 
+    sqlSafef(query, sizeof(query), 
 	    "select name from fbSynonym where geneId = '%s'", 
 	    flyBaseId);
     sr = sqlGetResult(conn, query);
     while ((row = sqlNextRow(sr)) != NULL)
         {
 	char *s = row[0];
 	if (!sameString(s, geneSym) && !sameString(s, geneName))
 	    {
 	    syn = slNameNew(s);
 	    slAddHead(&synList, syn);
 	    }
 	}
     sqlFreeResult(&sr);
     if (synList != NULL)
         {
@@ -304,31 +304,31 @@
     }
 return section;
 }
 
 
 static void bdgpExprInSituPrint(struct section *section, 
 	struct sqlConnection *conn, char *geneId)
 /* Print out BDGP Expression in situ image links. */
 {
 char *flyBaseId = getFlyBaseId(conn, geneId);
 char query[256], **row;
 struct sqlResult *sr;
 
 if (flyBaseId != NULL)
     {
-    safef(query, sizeof(query), 
+    sqlSafef(query, sizeof(query), 
 	    "select * from bdgpExprLink where flyBaseId = '%s'", 
 	    flyBaseId);
     sr = sqlGetResult(conn, query);
     if ((row = sqlNextRow(sr)) != NULL)
 	{
 	struct bdgpExprLink *be = bdgpExprLinkLoad(row);
 	printf("<A HREF=\"http://www.fruitfly.org/cgi-bin/ex/basic.pl?"
 	       "format=dimage_array&find=%s&searchfield=CG&bp_search=&comment="
 	       "&cytology=&location=&fnc_search=&submit=Run+Basic+Query"
 	       "&.cgifields=fnc&.cgifields=bp&.cgifields=stage\" TARGET=_BLANK>\n",
 	       be->bdgpName);
 	printf("In situ images for BDGP gene %s</A> (%s, FlyBase gene %s) ",
 	       be->bdgpName, be->symbol, be->flyBaseId);
 	puts("are available from the \n"
 	     "<A HREF=\"http://www.fruitfly.org/cgi-bin/ex/insitu.pl\""
@@ -351,31 +351,31 @@
     }
 }
 
 
 static boolean bdgpExprInSituExists(struct section *section,
 	struct sqlConnection *conn, char *geneId)
 /* Return TRUE if in situ link table exists and has something
  * on this one. */
 {
 char *flyBaseId = getFlyBaseId(conn, geneId);
 boolean exists = FALSE;
 if (flyBaseId != NULL && sqlTableExists(conn, "bdgpExprLink"))
     {
     char query[256], **row;
     struct sqlResult *sr;
-    safef(query, sizeof(query), 
+    sqlSafef(query, sizeof(query), 
 	    "select flyBaseId from bdgpExprLink where flyBaseId = '%s'", 
 	    flyBaseId);
     sr = sqlGetResult(conn, query);
     if ((row = sqlNextRow(sr)) != NULL)
 	exists = TRUE;
     sqlFreeResult(&sr);
     }
 return(exists);
 }
 
 
 struct section *bdgpExprInSituSection(struct sqlConnection *conn,
 	struct hash *sectionRa)
 /* Create BDGP Expression in situ image links section. */
 {