src/hg/hgGene/otherOrgs.c 080a160c7b9595d516c9c70e83689a09b60839d0

080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/hgGene/otherOrgs.c src/hg/hgGene/otherOrgs.c
index 37c0e8b..a62fd6b 100644
--- src/hg/hgGene/otherOrgs.c
+++ src/hg/hgGene/otherOrgs.c
@@ -106,48 +106,48 @@
  * on this one. */
 {
 struct otherOrg *otherOrgList;
 otherOrgList = section->items = getOtherOrgList(conn, section->raFile);
 return otherOrgList != NULL;
 return FALSE;
 }
 
 static char *otherOrgId(struct otherOrg *otherOrg, struct sqlConnection *conn, 
 	char *geneId)
 /* Return gene ID in other organism or NULL if it doesn't exist. */
 {
 if (geneId != NULL)
     {
     char query[256];
-    safef(query, sizeof(query), otherOrg->idSql, geneId);
+    sqlSafef(query, sizeof(query), otherOrg->idSql, geneId);
     return sqlQuickString(conn, query);
     }
 else
     return NULL;
 }
 
 static char *otherOrgPositionFromDb(struct otherOrg *otherOrg, char *id)
 /* Get position of id from other organism database, if possible. */
 {
 struct hTableInfo *hti = hFindTableInfo(otherOrg->db, NULL,
                                         otherOrg->geneTable);
 if (hti == NULL)
     return NULL;  // table  not found
 
 struct sqlConnection *conn = hAllocConn(otherOrg->db);
 char query[512];
-safef(query, sizeof(query),
+sqlSafef(query, sizeof(query),
       "select concat(%s, ':', %s+1, '-', %s) from %s "
       "where %s = '%s'",
       hti->chromField, hti->startField, hti->endField,
       otherOrg->geneTable, hti->nameField, id);
 char *pos = sqlQuickString(conn, query);
 if (pos != NULL)
     {
     char posPlus[2048];
     safef(posPlus, sizeof(posPlus), "%s&%s=%s&hgFind.matches=%s",
           pos,
           otherOrg->geneTable, hTrackOpenVis(sqlGetDatabase(conn), otherOrg->geneTable),
           id);
     hFreeConn(&conn);
     freez(&pos);
     return cloneString(posPlus);
@@ -176,58 +176,58 @@
     }
 return NULL;
 }
 
 static char *otherOrgProteinId(struct otherOrg *otherOrg, struct sqlConnection *conn,
     char *geneId)
 /* Return protein ID in other organism or NULL if it doesn't exist. */
 {
 char *otherId = otherOrgId(otherOrg, conn, geneId);
 char *protId = NULL;
 if (otherOrg->db != NULL && otherId != NULL && otherOrg->idToProtIdSql != NULL
     && sqlDatabaseExists(otherOrg->db))
     {
     struct sqlConnection *conn = hAllocConn(otherOrg->db);
     char query[512];
-    safef(query, sizeof(query), otherOrg->idToProtIdSql, otherId);
+    sqlSafef(query, sizeof(query), otherOrg->idToProtIdSql, otherId);
     protId = sqlQuickString(conn, query);
     hFreeConn(&conn);
     }
 if (protId == NULL)
     {
     protId = otherId;
     otherId = NULL;
     }
 freez(&otherId);
 return protId;
 }
 
 static char *otherOrgExternalId(struct otherOrg *otherOrg, char *localId)
 /* Convert other organism UCSC id to external database ID. */
 {
 char *otherId = NULL;
 if (localId != NULL)
     {
     if (otherOrg->otherIdSql && sqlDatabaseExists(otherOrg->db))
 	{
 	struct sqlConnection *conn = hAllocConn(otherOrg->db);
 	char query[512];
-	safef(query, sizeof(query), otherOrg->otherIdSql, localId);
+	sqlSafef(query, sizeof(query), otherOrg->otherIdSql, localId);
 	otherId = sqlQuickString(conn, query);
 	if (otherId == NULL && otherOrg->otherIdSql2 != NULL)
 	    {
-	    safef(query, sizeof(query), otherOrg->otherIdSql2, localId);
+	    sqlSafef(query, sizeof(query), otherOrg->otherIdSql2, localId);
 	    otherId = sqlQuickString(conn, query);
 	    }
 	hFreeConn(&conn);
 	}
     else
         otherId = cloneString(localId);
     }
 return otherId;
 }
 
 static void otherOrgPrintLink(struct otherOrg *otherOrg,  
 	char *label,  char *missingLabel, boolean internalLink,
 	char *otherId, char *urlFormat)
 /* If label and urlFormat exist then print up a link.  Otherwise print n/a. */
 {
@@ -264,31 +264,31 @@
 /* Print link that will invoke self to work on other organism peptide. */
 {
 boolean gotIt = FALSE;
 webPrintLinkCellStart();
 if (id != NULL)
     {
     if (otherOrg->db != NULL && otherOrg->pepTable != NULL)
 	{
 	char dbTable[128];
 	safef(dbTable, sizeof(dbTable), "%s.%s", otherOrg->db, otherOrg->pepTable);
 	if (sqlTableExists(conn, dbTable))
 	    {
 	    struct sqlResult *sr;
 	    char **row;
 	    char query[256];
-	    safef(query, sizeof(query), "select seq from %s where name = '%s'",
+	    sqlSafef(query, sizeof(query), "select seq from %s where name = '%s'",
 	    	dbTable, id);
 	    sr = sqlGetResult(conn, query);
 	    if ((row = sqlNextRow(sr)) != NULL)
 	        {
 		gotIt = TRUE;
 		hPrintf("<A HREF=\"%s?%s&%s=%s&%s=%s&%s=%s\" class=\"toc\">",
 		    geneCgi, cartSidUrlString(cart), 
 		    command, "on",
 		    hggOtherPepTable, dbTable,
 		    hggOtherId, id);
 		hPrintf("%s", label);
 		hPrintf("</A>");
 		}
 	    sqlFreeResult(&sr);
 	    }
@@ -381,31 +381,31 @@
 {
 char *table = cartString(cart, hggOtherPepTable);
 char *id = cartString(cart, hggOtherId);
 char name[256];
 safef(name, sizeof(name), "%s homolog", homologName);
 showSeqFromTable(conn, id, name, table);
 }
 
 static bioSeq *getSeq(struct sqlConnection *conn, char *table, char *id)
 /* Get sequence from table. */
 {
 char query[512];
 struct sqlResult *sr;
 char **row;
 bioSeq *seq = NULL;
-safef(query, sizeof(query), 
+sqlSafef(query, sizeof(query), 
     "select seq from %s where name = '%s'", table, id);
 sr = sqlGetResult(conn, query);
 if ((row = sqlNextRow(sr)) != NULL)
     {
     AllocVar(seq);
     seq->name = cloneString(id);
     seq->dna = cloneString(row[0]);
     seq->size = strlen(seq->dna);
     }
 sqlFreeResult(&sr);
 return seq;
 }
 
 void doOtherProteinAli(struct sqlConnection *conn, 
 	char *localId, char *localName)