080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/hgGene/wikiTrack.c src/hg/hgGene/wikiTrack.c
index 0fdde5f..35b2819 100644
--- src/hg/hgGene/wikiTrack.c
+++ src/hg/hgGene/wikiTrack.c
@@ -65,31 +65,31 @@
 else if ((0 == plusCount) && (negativeCount > 0))
     safecpy(bb->strand, sizeof(bb->strand), "-");
 else
     safecpy(bb->strand, sizeof(bb->strand), " ");
 return bb;
 }
 
 static char *canonicalGene(struct sqlConnection *conn, char *id, char **protein)
 /* given UCSC gene id, find canonical UCSC gene id and protein if asked for */
 {
 char *geneName;
 struct sqlResult *sr;
 char **row;
 char query[1024];
 
-safef(query, ArraySize(query), "SELECT e.transcript,e.protein FROM "
+sqlSafef(query, ArraySize(query), "SELECT e.transcript,e.protein FROM "
 	"knownCanonical e, knownIsoforms j "
 	"WHERE e.clusterId = j.clusterId AND j.transcript ='%s'", id);
 
 sr = sqlGetResult(conn, query);
 row = sqlNextRow(sr);
 if (row)
     {
     geneName = cloneString(row[0]);
     if (protein)
 	*protein = cloneString(row[1]);
     }
 else
     geneName = NULL;
 
 sqlFreeResult(&sr);
@@ -108,31 +108,31 @@
 char **row;
 struct bed *bed;
 struct bed *protein;
 struct bed *bedList = NULL;
 struct bed *proteinList = NULL;
 struct bed *clustered = NULL;
 char query[1024];
 
 if (! (sqlTableExists(conn, "knownGene") && sqlTableExists(conn, "kgXref")))
     {
     if (allIsoforms)
 	*allIsoforms = NULL;
     return NULL;
     }
 
-safef(query, ArraySize(query),
+sqlSafef(query, ArraySize(query),
 	"SELECT e.chrom,e.txStart,e.txEnd,e.alignID,e.strand "
 	"FROM knownGene e, kgXref j WHERE e.alignID = j.kgID AND "
 	"j.geneSymbol ='%s' ORDER BY e.chrom,e.txStart", geneSymbol);
 
 sr = sqlGetResult(conn, query);
 while ((row = sqlNextRow(sr)) != NULL)
     {
     AllocVar(bed);
     bed->chrom = cloneString(row[0]);
     bed->chromStart = sqlUnsigned(row[1]);
     bed->chromEnd = sqlUnsigned(row[2]);
     bed->name = cloneString(row[3]);
     safecpy(bed->strand, sizeof(bed->strand), row[4]);
     slAddHead(&bedList, bed);
     }
@@ -233,47 +233,47 @@
 newItem->chromStart = start;
 newItem->chromEnd = end;
 newItem->name = cloneString(name);
 newItem->score = score;
 safef(newItem->strand, sizeof(newItem->strand), "%s", strand);
 newItem->db = cloneString(db);
 newItem->owner = cloneString(owner);
 newItem->class = cloneString(class);
 newItem->color = cloneString(color);
 newItem->creationDate = cloneString("0");
 newItem->lastModifiedDate = cloneString("0");
 newItem->descriptionKey = cloneString("0");
 newItem->id = 0;
 newItem->geneSymbol = cloneString(geneSymbol);
 
-wikiTrackSaveToDbEscaped(wikiConn, newItem, WIKI_TRACK_TABLE, 1024);
+wikiTrackSaveToDb(wikiConn, newItem, WIKI_TRACK_TABLE, 1024);
 
 int id = sqlLastAutoId(wikiConn);
 char descriptionKey[256];
 /* when wikiKey is NULL, assign the default key of category:db-id,
  *	else, it is the proper key
  */
 if (wikiKey)
     safef(descriptionKey,ArraySize(descriptionKey), "%s", wikiKey);
 else
     safef(descriptionKey,ArraySize(descriptionKey),
 	"%s:%s-%d", category, db, id);
 
 wikiTrackFree(&newItem);
 
 char query[1024];
-safef(query, ArraySize(query), "UPDATE %s set creationDate=now(),lastModifiedDate=now(),descriptionKey='%s' WHERE id='%d'",
+sqlSafef(query, ArraySize(query), "UPDATE %s set creationDate=now(),lastModifiedDate=now(),descriptionKey='%s' WHERE id='%d'",
     WIKI_TRACK_TABLE, descriptionKey, id);
 
 sqlUpdate(wikiConn,query);
 wikiDisconnect(&wikiConn);
 return (id);
 }
 
 static struct wikiTrack *startNewItem(struct sqlConnection *conn,
     char *chrom, int itemStart, int itemEnd, char *name, char *strand,
 	struct bed *clusterList, struct bed *allIsoforms,
 	    struct bed *allProteins)
 /* create the database item to get a new one started */
 {
 char *userName = NULL;
 int score = 0;