src/hg/hgGene/rgdInfo.c 080a160c7b9595d516c9c70e83689a09b60839d0

080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/hgGene/rgdInfo.c src/hg/hgGene/rgdInfo.c
index f9dae8f..96f1892 100644
--- src/hg/hgGene/rgdInfo.c
+++ src/hg/hgGene/rgdInfo.c
@@ -24,31 +24,31 @@
 
 char *getRgdGeneId(struct sqlConnection *conn, char *geneId)
 /* Return rgdGene ID for now. */
 {
 return(geneId);
 }
 
 char *getRgdGeneUniProtAcc(char *geneId, struct sqlConnection *conn)
 /* get UniProt Acc from an RGD Gene ID */
 {
 char query[256];
 struct sqlResult *sr;
 char **row;
 char *protAcc;
 
-safef(query, sizeof(query), "select value from rgdGene2ToUniProt where name = '%s'", geneId);
+sqlSafef(query, sizeof(query), "select value from rgdGene2ToUniProt where name = '%s'", geneId);
 sr = sqlGetResult(conn, query);
 
 row = sqlNextRow(sr);
 if (row != NULL)
     {
     protAcc = strdup(row[0]);
     sqlFreeResult(&sr);
     return(protAcc);
     }
 else
     {
     sqlFreeResult(&sr);
     return(NULL);
     }
 }
@@ -119,31 +119,31 @@
 	printf("<b>%s:</b> %s<br>\n", colName, row[iCol]);fflush(stdout);
     	}
     }
 
 static void rgdGeneInfoPrint(struct section *section, 
 	struct sqlConnection *conn, char *geneId)
 /* Print out RgdGene info. */
 {
 char *rgdGeneId = getRgdGeneId(conn, geneId);
 char query[256], **row;
 struct sqlResult *sr;
 char *chp;
 int iCol;
 
 chp = strstr(rgdGeneId, ":"); chp++;
-safef(query, sizeof(query),
+sqlSafef(query, sizeof(query),
       "select * from %s where gene_rgd_id='%s'", section->rgdGeneTable, chp);
 sr = sqlGetResult(conn, query);
 if ((row = sqlNextRow(sr)) != NULL)
     	{
     	/* Data of some columns are not displayed.
 	   The statements for those are left there but commented out for documentation purpose.
 	   In case we need additional variables displayed, just un-comment the lines.
 	*/
 
 	iCol = 0;
 	do1Colx(row, iCol, "gene_rgd_id", "RGD Gene", RGD_GENE_URL); 
 	
 	iCol++;
 	do1Colx(row, iCol, "symbol", "Gene Symbol", NULL);
 	
@@ -256,51 +256,51 @@
 	iCol++;
 	//do1Col(row, iCol, "splice_rgd_id"); 
 	
 	iCol++;
 	//do1Col(row, iCol, "splice_symbol"); 
 	
 	iCol++;
 	//do1Col(row, iCol, "gene_type"); 
 	
 	iCol++;
 	do1Colx(row, iCol, "ensembl_id", "Ensembl Gene", ENSEMBL_URL); 
     }
 sqlFreeResult(&sr);
 
 /* display IMAGE info */
-safef(query, sizeof(query), "select info from rgdGene2Xref where rgdGeneId='%s' and infoType='IMAGE'", rgdGeneId);
+sqlSafef(query, sizeof(query), "select info from rgdGene2Xref where rgdGeneId='%s' and infoType='IMAGE'", rgdGeneId);
 sr = sqlGetResult(conn, query);
 row = sqlNextRow(sr);
 if (row != NULL)
     {
     printf("<b>IMAGE CLONE: </b>");
 
     while (row != NULL)
     	{
     	printf("<A HREF=\"%s", IMAGE_URL);
     	printf("%s", row[0]);fflush(stdout);
     	printf("\" TARGET=_blank>%s</A>", row[0]);fflush(stdout);
 	row = sqlNextRow(sr);
 	if (row != NULL) printf(", ");
         }
     printf("<br>");
     }
 sqlFreeResult(&sr);
 
 /* display MGC info */
-safef(query, sizeof(query), "select info from rgdGene2Xref where rgdGeneId='%s' and infoType='MGC'", rgdGeneId);
+sqlSafef(query, sizeof(query), "select info from rgdGene2Xref where rgdGeneId='%s' and infoType='MGC'", rgdGeneId);
 sr = sqlGetResult(conn, query);
 row = sqlNextRow(sr);
 if (row != NULL)
     {
     printf("<b>MGC: </b>");
 
     while (row != NULL)
     	{
     	printf("<A HREF=\"%s", MGC_URL);
     	printf("%s", row[0]);fflush(stdout);
     	printf("\" TARGET=_blank>%s</A>", row[0]);fflush(stdout);
 	row = sqlNextRow(sr);
 	if (row != NULL) printf(", ");
         }
     printf("<br>");