080a160c7b9595d516c9c70e83689a09b60839d0 galt Mon Jun 3 12:16:53 2013 -0700 fix SQL Injection diff --git src/hg/hgGene/pseudoGene.c src/hg/hgGene/pseudoGene.c index ac3d773..88ecdb6 100644 --- src/hg/hgGene/pseudoGene.c +++ src/hg/hgGene/pseudoGene.c @@ -12,31 +12,31 @@ #include "hgGene.h" static boolean pseudoGeneExists(struct section *section, struct sqlConnection *conn, char *geneId) /* Return TRUE if mrna on this one. */ { boolean result; result = FALSE; if (hTableExists(sqlGetDatabase(conn), "ucscRetroInfo")) { struct sqlResult *sr; char **row; char query[255]; - safef(query, sizeof(query), + sqlSafef(query, sizeof(query), "select name from ucscRetroInfo where name='%s' or kgName='%s' or refseq='%s'", geneId, geneId, geneId); sr = sqlGetResult(conn, query); if ((row = sqlNextRow(sr)) != NULL) { result = TRUE; } sqlFreeResult(&sr); } return(result); } static void pseudoGenePrint(struct section *section, struct sqlConnection *conn, char *geneId) @@ -47,31 +47,31 @@ char condStr[255]; char *descID, *desc; char *emptyStr; char query[255]; char *name, *chrom, *chromStart, *chromEnd, *refseq, *rtype; int score; webPrintLinkTableStart(); webPrintLabelCell("Retro Id"); webPrintLabelCell("Type"); webPrintLabelCell("Score "); webPrintLabelCell("Genome Location"); webPrintLabelCell("Description"); hPrintf("</TR>\n<TR>"); emptyStr = cloneString(""); -safef(query, sizeof(query), +sqlSafef(query, sizeof(query), "select distinct name, chrom, chromStart, chromEnd, refseq, type, score from ucscRetroInfo where name='%s' or kgName='%s' or refseq='%s'", geneId, geneId, geneId); sr = sqlGetResult(conn, query); while ((row = sqlNextRow(sr)) != NULL) { name = row[0]; chrom = row[1]; chromStart = row[2]; chromEnd = row[3]; refseq = row[4]; rtype = row[5]; score = sqlUnsigned(row[6]); desc = emptyStr; safef(condStr, sizeof(condStr), "acc='%s'", refseq);