080a160c7b9595d516c9c70e83689a09b60839d0 galt Mon Jun 3 12:16:53 2013 -0700 fix SQL Injection diff --git src/hg/hgGene/synonym.c src/hg/hgGene/synonym.c index 680ea30..b244404 100644 --- src/hg/hgGene/synonym.c +++ src/hg/hgGene/synonym.c @@ -21,62 +21,62 @@ static void printOurRefseqUrl(FILE *f, char *accession) /* Print URL for Entrez browser on a nucleotide. */ { fprintf(f, "../cgi-bin/hgc?%s&g=refGene&i=%s&c=%s&o=%d&l=%d&r=%d&db=%s", cartSidUrlString(cart), accession, curGeneChrom, curGeneStart, curGeneStart, curGeneEnd, database); } static int countAlias(char *id, struct sqlConnection *conn) /* Count how many valid gene symbols to be printed */ { char query[256]; struct sqlResult *sr; int cnt = 0; char **row; -safef(query, sizeof(query), "select alias from kgAlias where kgId = '%s' order by alias", id); +sqlSafef(query, sizeof(query), "select alias from kgAlias where kgId = '%s' order by alias", id); sr = sqlGetResult(conn, query); row = sqlNextRow(sr); while (row != NULL) { /* skip kgId and the maint gene symbol (curGeneName) */ if ((!sameWord(id, row[0])) && (!sameWord(row[0], curGeneName))) { cnt++; } row = sqlNextRow(sr); } sqlFreeResult(&sr); return(cnt); } char *aliasString(char *id, struct sqlConnection *conn) /* return alias string as it would be printed in html, can free after use */ { char query[256]; struct sqlResult *sr = NULL; char **row; int totalCount; int cnt = 0; totalCount = countAlias(id,conn); if (totalCount > 0) { struct dyString *aliasReturn = dyStringNew(0); dyStringPrintf(aliasReturn, "<B>Alternate Gene Symbols:</B> "); - safef(query, sizeof(query), "select alias from kgAlias where kgId = '%s' order by alias", id); + sqlSafef(query, sizeof(query), "select alias from kgAlias where kgId = '%s' order by alias", id); sr = sqlGetResult(conn, query); row = sqlNextRow(sr); while (cnt < totalCount) { /* skip kgId and the maint gene symbol (curGeneName) */ if ((!sameWord(id, row[0])) && (!sameWord(row[0], curGeneName))) { dyStringPrintf(aliasReturn, "%s", row[0]); if (cnt < (totalCount-1)) dyStringPrintf(aliasReturn, ", "); cnt++; } row = sqlNextRow(sr); } dyStringPrintf(aliasReturn, "<BR>"); sqlFreeResult(&sr); @@ -93,75 +93,75 @@ if (aliases) { hPrintf("%s", aliases); freeMem(aliases); } } static void printGeneSymbol (char *geneId, char *table, char *idCol, struct sqlConnection *conn) /* Print out official Entrez gene symbol from a cross-reference table.*/ { char query[256]; struct sqlResult *sr = NULL; char **row; char *geneSymbol; -if (sqlTablesExist(conn, table)) +if (sqlTableExists(conn, table)) { hPrintf("<B>Entrez Gene Official Symbol:</B> "); - safef(query, sizeof(query), "select geneSymbol from %s where %s = '%s'", table, idCol, geneId); + sqlSafef(query, sizeof(query), "select geneSymbol from %s where %s = '%s'", table, idCol, geneId); sr = sqlGetResult(conn, query); if (sr != NULL) { row = sqlNextRow(sr); geneSymbol = cloneString(row[0]); if (!sameString(geneSymbol, "")) hPrintf("%s<BR>", geneSymbol); } } sqlFreeResult(&sr); } static char *getRefSeqAcc(char *id, char *table, char *idCol, struct sqlConnection *conn) /* Finds RefSeq accession from a cross-reference table. */ { char query[256]; struct sqlResult *sr = NULL; char **row; char *refSeqAcc = NULL; -if (sqlTablesExist(conn, table)) +if (sqlTableExists(conn, table)) { - safef(query, sizeof(query), "select refSeq from %s where %s = '%s'", table, idCol, id); + sqlSafef(query, sizeof(query), "select refSeq from %s where %s = '%s'", table, idCol, id); sr = sqlGetResult(conn, query); if (sr != NULL) { row = sqlNextRow(sr); refSeqAcc = cloneString(row[0]); } } sqlFreeResult(&sr); return refSeqAcc; } static void printCcds(char *kgId, struct sqlConnection *conn) /* Print out CCDS ids most closely matching the kg. */ { struct ccdsGeneMap *ccdsKgs = NULL; -if (sqlTablesExist(conn, "ccdsKgMap")) +if (sqlTableExists(conn, "ccdsKgMap")) ccdsKgs = ccdsGeneMapSelectByGene(conn, "ccdsKgMap", kgId, 0.0); if (ccdsKgs != NULL) { struct ccdsGeneMap *ccdsKg; hPrintf("<B>CCDS:</B> "); /* since kg is not by location (even though we have a * curGeneStart/curGeneEnd), we need to use the location in the * ccdsGeneMap */ for (ccdsKg = ccdsKgs; ccdsKg != NULL; ccdsKg = ccdsKg->next) { if (ccdsKg != ccdsKgs) hPrintf(", "); hPrintf("<A href=\"../cgi-bin/hgc?%s&g=ccdsGene&i=%s&c=%s&o=%d&l=%d&r=%d&db=%s\">%s</A>", cartSidUrlString(cart), ccdsKg->ccdsId, ccdsKg->chrom, ccdsKg->chromStart, ccdsKg->chromStart, ccdsKg->chromEnd, database, ccdsKg->ccdsId); @@ -193,63 +193,63 @@ } *chpOut = '\0'; //return inStr; return strdup(outStr); } static void rgdGene2SynonymPrint(struct section *section, struct sqlConnection *conn, char *rgdGeneId) { char *geneSym = NULL, *geneName = NULL; char query[256], **row; struct sqlResult *sr; if (rgdGeneId != NULL) { - safef(query, sizeof(query), + sqlSafef(query, sizeof(query), "select old_symbol, old_name from rgdGene2Raw where gene_rgd_id = '%s'", rgdGeneId+4L); sr = sqlGetResult(conn, query); if ((row = sqlNextRow(sr)) != NULL) { if (row[0][0] != 0 && !sameString(row[0], "n/a")) { geneSym = cloneString(row[0]); hPrintf("<B>Symbol:</B> %s ", addCommaSpace(row[0])); hPrintf("<BR>\n"); } if (row[1][0] != 0 && !sameString(row[0], "n/a")) { geneName = cloneString(row[1]); hPrintf("<B>Name:</B> %s ", addCommaSpace(geneName)); hPrintf("<BR>\n"); } } sqlFreeResult(&sr); - safef(query, sizeof(query), + sqlSafef(query, sizeof(query), "select value from rgdGene2ToRefSeq where name= '%s'", rgdGeneId); sr = sqlGetResult(conn, query); if ((row = sqlNextRow(sr)) != NULL) { hPrintf("<B>RefSeq Accession: </B> <A HREF=\""); printOurRefseqUrl(stdout, row[0]); hPrintf("\">%s</A><BR>\n", row[0]); } sqlFreeResult(&sr); - safef(query, sizeof(query), + sqlSafef(query, sizeof(query), "select value from rgdGene2ToUniProt where name= '%s'", rgdGeneId); sr = sqlGetResult(conn, query); if ((row = sqlNextRow(sr)) != NULL) { char *spId, *spDisplayId, *oldDisplayId; spId = row[0]; hPrintf("<B>Protein: </B>"); hPrintf("<A HREF=\"http://www.uniprot.org/uniprot/%s\" " "TARGET=_blank>%s</A>\n", spId, spId); /* show SWISS-PROT display ID if it is different than the accession ID */ /* but, if display name is like: Q03399 | Q03399_HUMAN, then don't show display name */ spDisplayId = spAnyAccToId(spConn, spId); if (spDisplayId == NULL) @@ -283,55 +283,55 @@ char *protAcc = getSwissProtAcc(conn, spConn, id); char *spDisplayId; char *refSeqAcc = ""; char *mrnaAcc = ""; char *oldDisplayId; char condStr[255]; char *kgProteinID; char *parAcc; /* parent accession of a variant splice protein */ char *chp; if (isRgdGene(conn)) { rgdGene2SynonymPrint(section,conn, id); return; } -if (sqlTablesExist(conn, "kgAlias")) +if (sqlTableExists(conn, "kgAlias")) printAlias(id, conn); if (sameWord(genome, "Zebrafish")) { char *xrefTable = "ensXRefZfish"; char *geneIdCol = "ensGeneId"; /* get Gene Symbol and RefSeq accession from Zebrafish-specific */ /* cross-reference table */ printGeneSymbol(id, xrefTable, geneIdCol, conn); refSeqAcc = getRefSeqAcc(id, xrefTable, geneIdCol, conn); hPrintf("<B>ENSEMBL ID:</B> %s", id); } else { char query[256]; char *toRefTable = genomeOptionalSetting("knownToRef"); if (toRefTable != NULL && sqlTableExists(conn, toRefTable)) { - safef(query, sizeof(query), "select value from %s where name='%s'", toRefTable, + sqlSafef(query, sizeof(query), "select value from %s where name='%s'", toRefTable, id); refSeqAcc = emptyForNull(sqlQuickString(conn, query)); } if (sqlTableExists(conn, "kgXref")) { - safef(query, sizeof(query), "select mRNA from kgXref where kgID='%s'", id); + sqlSafef(query, sizeof(query), "select mRNA from kgXref where kgID='%s'", id); mrnaAcc = emptyForNull(sqlQuickString(conn, query)); } if (sameWord(genome, "C. elegans")) hPrintf("<B>WormBase ID:</B> %s<BR>", id); else hPrintf("<B>UCSC ID:</B> %s<BR>", id); } if (refSeqAcc[0] != 0) { hPrintf("<B>RefSeq Accession: </B> <A HREF=\""); printOurRefseqUrl(stdout, refSeqAcc); hPrintf("\">%s</A><BR>\n", refSeqAcc); } else if (mrnaAcc[0] != 0)