080a160c7b9595d516c9c70e83689a09b60839d0
galt
Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/hgGene/go.c src/hg/hgGene/go.c
index e2c7c3c..3379fa6 100644
--- src/hg/hgGene/go.c
+++ src/hg/hgGene/go.c
@@ -9,78 +9,78 @@
#include "hdb.h"
static boolean goExists(struct section *section,
struct sqlConnection *conn, char *geneId)
/* Return TRUE if GO database exists and has something
* on this one. */
{
char query[512];
char *fbAcc = getFlyBaseId(conn, geneId);
boolean useFbGo = (isFly() && fbAcc != NULL && sqlTableExists(conn, "fbGo"));
if (!sqlDatabaseExists("go"))
return(FALSE);
if (useFbGo)
{
- safef(query, sizeof(query),
+ sqlSafef(query, sizeof(query),
"select count(*) from fbGo where geneId = '%s'",
fbAcc);
return sqlQuickNum(conn, query) > 0;
}
else
{
if (swissProtAcc == NULL || !sqlTableExists(conn, "go.goaPart"))
return FALSE;
- safef(query, sizeof(query),
+ sqlSafef(query, sizeof(query),
"select count(*) from go.goaPart where dbObjectId = '%s'",
swissProtAcc);
return sqlQuickNum(conn, query) > 0;
}
}
static void goPrint(struct section *section,
struct sqlConnection *conn, char *geneId)
/* Print out GO annotations. */
{
struct sqlConnection *goConn = hAllocConn("go");
char *fbAcc = getFlyBaseId(conn, geneId);
boolean useFbGo = (isFly() && fbAcc != NULL && sqlTableExists(conn, "fbGo"));
char *acc = useFbGo ? fbAcc : swissProtAcc;
char query[512];
struct sqlResult *sr;
char **row;
static char *aspects[3] = {"F", "P", "C"};
static char *aspectNames[3] = {
"Molecular Function",
"Biological Process",
"Cellular Component",
};
int aspectIx;
for (aspectIx = 0; aspectIx < ArraySize(aspects); ++aspectIx)
{
boolean hasFirst = FALSE;
if (useFbGo)
- safef(query, sizeof(query),
+ sqlSafef(query, sizeof(query),
"select term.acc,term.name"
" from %s.fbGo,term"
" where %s.fbGo.geneId = '%s'"
" and %s.fbGo.goId = term.acc"
" and %s.fbGo.aspect = '%s'",
database, database, acc, database, database, aspects[aspectIx]);
else
- safef(query, sizeof(query),
+ sqlSafef(query, sizeof(query),
"select term.acc,term.name"
" from goaPart,term"
" where goaPart.dbObjectId = '%s'"
" and goaPart.goId = term.acc"
" and goaPart.aspect = '%s'"
, acc, aspects[aspectIx]);
sr = sqlGetResult(goConn, query);
while ((row = sqlNextRow(sr)) != NULL)
{
char *goID = row[0];
char *goTermName = row[1];
if (!hasFirst)
{
hPrintf("%s:
", aspectNames[aspectIx]);
hasFirst = TRUE;