080a160c7b9595d516c9c70e83689a09b60839d0 galt Mon Jun 3 12:16:53 2013 -0700 fix SQL Injection diff --git src/hg/hgGene/hgGene.c src/hg/hgGene/hgGene.c index eaee604..4289dd8 100644 --- src/hg/hgGene/hgGene.c +++ src/hg/hgGene/hgGene.c @@ -117,88 +117,88 @@ } } freeMem(dupe); return ok; } /* --------------- Mid-level utility functions ----------------- */ char *genoQuery(char *id, char *settingName, struct sqlConnection *conn) /* Look up sql query in genome.ra given by settingName, * plug id into it, and return. */ { char query[256]; char *sql = genomeSetting(settingName); -safef(query, sizeof(query), sql, id); +sqlSafef(query, sizeof(query), sql, id); return sqlQuickString(conn, query); } char *getGeneName(char *id, struct sqlConnection *conn) /* Return gene name associated with ID. Freemem * this when done. */ { char *name = genoQuery(id, "nameSql", conn); if (name == NULL) name = cloneString(id); return name; } char *getSwissProtAcc(struct sqlConnection *conn, struct sqlConnection *spConn, char *geneId) /* Look up SwissProt id. Return NULL if not found. FreeMem this when done. * spConn is existing SwissProt database conn. May be NULL. */ { char *proteinSql = genomeSetting("proteinSql"); char query[256]; char *someAcc, *primaryAcc = NULL; if (isRgdGene(conn)) { return(getRgdGeneUniProtAcc(curGeneId, conn)); } -safef(query, sizeof(query), proteinSql, geneId); +sqlSafef(query, sizeof(query), proteinSql, geneId); someAcc = sqlQuickString(conn, query); if (someAcc == NULL || someAcc[0] == 0) return NULL; primaryAcc = spFindAcc(spConn, someAcc); freeMem(someAcc); return primaryAcc; } /* --------------- Page printers ----------------- */ boolean idInAllMrna(char *id, struct sqlConnection *conn) /* Return TRUE if id is in allMrna table */ { char query[256]; -safef(query, sizeof(query), +sqlSafef(query, sizeof(query), "select count(*) from all_mrna where qName = '%s'", id); return sqlQuickNum(conn, query) > 0; } boolean idInRefseq(char *id, struct sqlConnection *conn) /* Return TRUE if id is in refGene table */ { char query[256]; -if (!sqlTablesExist(conn, "refGene")) +if (!sqlTableExists(conn, "refGene")) { return(FALSE); } -safef(query, sizeof(query), +sqlSafef(query, sizeof(query), "select count(*) from refGene where name = '%s'", id); return sqlQuickNum(conn, query) > 0; } char *abbreviateSummary(char *summary) /* Get rid of some repetitious stuff. */ { char *pattern = "Publication Note: This RefSeq record includes a subset " "of the publications that are available for this gene. " "Please see the Entrez Gene record to access additional publications."; stripString(summary, pattern); return summary; } @@ -512,110 +512,110 @@ printDescription(curGeneId, conn); sectionList = loadSectionList(conn); printIndex(sectionList); struct trackDb *tdb = hTrackDbForTrack(database, genomeSetting("knownGene")); printUpdateTime(database, tdb, NULL); printSections(sectionList, conn, curGeneId); } static char *findGeneId(struct sqlConnection *conn, char *name) /* Given some sort of gene name, see if it is in our primary gene table, and if not * look it up in alias table if we have one. */ { /* Just check if it's in the main gene table, and if so return input name. */ char *mainTable = genomeSetting("knownGene"); char query[256]; -safef(query, sizeof(query), "select count(*) from %s where name = '%s'", mainTable, name); +sqlSafef(query, sizeof(query), "select count(*) from %s where name = '%s'", mainTable, name); if (sqlQuickNum(conn, query) > 0) return name; else { /* check OMIM gene symbol table first */ if (sqlTableExists(conn, "omimGeneSymbol")) { - safef(query, sizeof(query), "select geneSymbol from omimGeneSymbol where geneSymbol= '%s'", name); + sqlSafef(query, sizeof(query), "select geneSymbol from omimGeneSymbol where geneSymbol= '%s'", name); char *symbol = sqlQuickString(conn, query); if (symbol != NULL) { - safef(query, sizeof(query), "select kgId from kgXref where geneSymbol = '%s'", symbol); + sqlSafef(query, sizeof(query), "select kgId from kgXref where geneSymbol = '%s'", symbol); char *kgId = sqlQuickString(conn, query); if (kgId != NULL) { /* The canonical gene is preferred */ - safef(query, sizeof(query), + sqlSafef(query, sizeof(query), "select c.transcript from knownCanonical c,knownIsoforms i where i.transcript = '%s' and i.clusterId=c.clusterId", kgId); char *canonicalKgId = sqlQuickString(conn, query); if (canonicalKgId != NULL) { return canonicalKgId; } else return(kgId); } } } } char *alias = genomeOptionalSetting("kgAlias"); if (alias != NULL && sqlTableExists(conn, alias)) { - safef(query, sizeof(query), "select kgID from %s where alias = '%s'", alias, name); + sqlSafef(query, sizeof(query), "select kgID from %s where alias = '%s'", alias, name); char *id = sqlQuickString(conn, query); if (id == NULL) hUserAbort("Couldn't find %s in %s.%s or %s.%s", name, database, mainTable, database, alias); return id; } else hUserAbort("Couldn't find %s in %s.%s", name, database, mainTable); return NULL; } static void getGenePosition(struct sqlConnection *conn) /* Get gene position from database. */ { char *table = genomeSetting("knownGene"); char query[256]; struct sqlResult *sr; char **row; -safef(query, sizeof(query), +sqlSafef(query, sizeof(query), "select chrom,txStart,txEnd from %s where name = '%s'" , table, curGeneId); sr = sqlGetResult(conn, query); row = sqlNextRow(sr); if (row != NULL) { curGeneChrom = cloneString(row[0]); curGeneStart = atoi(row[1]); curGeneEnd = atoi(row[2]); } else hUserAbort("Couldn't find %s in %s.%s", curGeneId, database, table); sqlFreeResult(&sr); } struct genePred *getCurGenePred(struct sqlConnection *conn) /* Return current gene in genePred. */ { char *track = genomeSetting("knownGene"); char table[64]; boolean hasBin; char query[256]; struct sqlResult *sr; char **row; struct genePred *gp = NULL; hFindSplitTable(sqlGetDatabase(conn), curGeneChrom, track, table, &hasBin); -safef(query, sizeof(query), +sqlSafef(query, sizeof(query), "select * from %s where name = '%s' " "and chrom = '%s' and txStart=%d and txEnd=%d" , table, curGeneId, curGeneChrom, curGeneStart, curGeneEnd); sr = sqlGetResult(conn, query); if ((row = sqlNextRow(sr)) != NULL) gp = genePredLoad(row + hasBin); sqlFreeResult(&sr); if (gp == NULL) errAbort("getCurGenePred: Can't find %s", query); return gp; } void doKgMethod() /* display knownGene.html content (UCSC Known Genes * Method, Credits, and Data Use Restrictions) */