080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/hgGene/sequence.c src/hg/hgGene/sequence.c
index 96c3f98..f98766f 100644
--- src/hg/hgGene/sequence.c
+++ src/hg/hgGene/sequence.c
@@ -41,31 +41,31 @@
 printLongWithCommas(stdout, end);
 hPrintf(")</A>");
 webPrintLinkCellEnd();
 }
 
 static void printSeqLink(struct sqlConnection *conn, char *geneId,
 	char *tableId, char *command, char *label, int colCount)
 /* Print out link to mRNA or protein. */
 {
 char *table = genomeSetting(tableId);
 boolean gotHyperlink = FALSE;
 webPrintWideCellStart(colCount, HG_COL_TABLE);
 if (sqlTableExists(conn, table))
     {
     char query[512];
-    safef(query, sizeof(query), "select count(*) from %s where name = '%s'",
+    sqlSafef(query, sizeof(query), "select count(*) from %s where name = '%s'",
     	table, geneId);
     if (sqlExists(conn, query))
         {
 	hPrintf("<A HREF=\"../cgi-bin/hgGene?%s&%s=1&hgg_gene=%s\" class=\"toc\">",
 	       cartSidUrlString(cart), command, geneId);
 	hPrintf("%s</A>", label);
 	gotHyperlink = TRUE;
 	}
     }
 if (!gotHyperlink)
     hPrintf("%s", label);
 webPrintLinkCellEnd();
 }
 
 
@@ -76,31 +76,31 @@
 char *tableId = "knownGene";
 if (genomeOptionalSetting("knownGeneMrna") != NULL)
     {
     title = "mRNA (may differ from genome)";
     tableId = "knownGeneMrna";
     }
 printSeqLink(conn, geneId, tableId, hggDoGetMrnaSeq, title, 2);
 }
 
 void printProteinSeqLink(struct sqlConnection *conn, char *geneId)
 /* Print out link to fetch protein. */
 {
 char *table = genomeSetting("knownGenePep");
 char query[256];
 char title[128];
-safef(query, sizeof(query), 
+sqlSafef(query, sizeof(query), 
 	"select length(seq) from %s where name='%s'" , table,  geneId);
 int protSize = sqlQuickNum(conn, query);
 if (protSize > 0)
     {
     safef(title, sizeof(title), "Protein (%d aa)", protSize);
     printSeqLink(conn, geneId, "knownGenePep", hggDoGetProteinSeq,
 	    title, 1);
     }
 else
     {
     webPrintLinkCellStart();
     hPrintf("No protein");
     webPrintLinkCellEnd();
     }
 }
@@ -113,35 +113,35 @@
 char *table = genomeSetting("knownGene");
 struct dyString *query = newDyString(0);
 char **row;
 struct sqlResult *sr;
 char *chrom;
 int start,end;
 
 /* Print the current position. */
 webPrintLinkTableStart();
 printGenomicSeqLink(conn, geneId, curGeneChrom, curGeneStart, curGeneEnd);
 printMrnaSeqLink(conn,geneId);
 printProteinSeqLink(conn,geneId);
 webPrintLinkTableEnd();
 
 /* Print out any additional positions. */
-dyStringPrintf(query, "select chrom,txStart,txEnd from %s", table);
-dyStringPrintf(query, " where name = '%s'", curGeneId);
-dyStringPrintf(query, " and (chrom != '%s'", curGeneChrom);
-dyStringPrintf(query, " or txStart != %d", curGeneStart);
-dyStringPrintf(query, " or txEnd != %d)", curGeneEnd);
+sqlDyStringPrintf(query, "select chrom,txStart,txEnd from %s", table);
+sqlDyStringPrintf(query, " where name = '%s'", curGeneId);
+sqlDyStringPrintf(query, " and (chrom != '%s'", curGeneChrom);
+sqlDyStringPrintf(query, " or txStart != %d", curGeneStart);
+sqlDyStringPrintf(query, " or txEnd != %d)", curGeneEnd);
 sr = sqlGetResult(conn, query->string);
 while ((row = sqlNextRow(sr)) != NULL)
     {
     struct sqlConnection *conn2 = hAllocConn(database);
     chrom = row[0];
     start = atoi(row[1]);
     end = atoi(row[2]);
     webPrintLinkTableStart();
     printGenomicSeqLink(conn2, geneId, chrom, start, end);
     webPrintLinkTableEnd();
     hFreeConn(&conn2);
     }
 sqlFreeResult(&sr);
 freeDyString(&query);
 }
@@ -152,31 +152,31 @@
 {
 struct section *section = sectionNew(sectionRa, "sequence");
 section->print = sequenceTablePrint;
 return section;
 }
 
 void showSeqFromTable(struct sqlConnection *conn, char *geneId,
 	char *geneName, char *table)
 /* Show some sequence from given table. */
 {
 char query[512];
 struct sqlResult *sr;
 char **row;
 hPrintf("<TT><PRE>");
 
-safef(query, sizeof(query), 
+sqlSafef(query, sizeof(query), 
     "select seq from %s where name = '%s'", table, geneId);
 sr = sqlGetResult(conn, query);
 if ((row = sqlNextRow(sr)) != NULL)
     {
     char *seq = row[0];
     hPrintf(">%s (%s) length=%d\n", geneId, geneName, (seq!=NULL) ? (int)strlen(seq): 0);
     writeSeqWithBreaks(stdout, seq, strlen(seq), 60);
     }
 sqlFreeResult(&sr);
 hPrintf("</PRE></TT>");
 }
 
 static void showSeq(struct sqlConnection *conn, char *geneId,
 	char *geneName, char *tableId)
 /* Show some sequence. */
@@ -184,31 +184,31 @@
 char *table = genomeSetting(tableId);
 showSeqFromTable(conn, geneId, geneName, table);
 }
 
 static void showMrnaFromGenePred(struct sqlConnection *conn, 
 	char *geneId, char *geneName)
 /* Get mRNA sequence for gene from gene prediction. */
 {
 char *table = genomeSetting("knownGene");
 struct sqlResult *sr;
 char **row;
 char query[256];
 boolean hasBin = hIsBinned(sqlGetDatabase(conn), table);
 
 hPrintf("<TT><PRE>");
-safef(query, sizeof(query), 
+sqlSafef(query, sizeof(query), 
     "select * from %s where name='%s'"
     " and chrom='%s' and txStart=%d and txEnd=%d", 
     table, geneId, curGeneChrom, curGeneStart, curGeneEnd);
 sr = sqlGetResult(conn, query);
 if ((row = sqlNextRow(sr)) != NULL)
     {
     struct genePred *gene = genePredLoad(row+hasBin);
     struct bed *bed = bedFromGenePred(gene);
     struct dnaSeq *seq = hSeqForBed(sqlGetDatabase(conn), bed);
     hPrintf(">%s (%s predicted mRNA)\n", geneId, geneName);
     writeSeqWithBreaks(stdout, seq->dna, seq->size, 50);
     dnaSeqFree(&seq);
     bedFree(&bed);
     genePredFree(&gene);
     }