080a160c7b9595d516c9c70e83689a09b60839d0 galt Mon Jun 3 12:16:53 2013 -0700 fix SQL Injection diff --git src/hg/hgGene/wikiTrack.c src/hg/hgGene/wikiTrack.c index 0fdde5f..35b2819 100644 --- src/hg/hgGene/wikiTrack.c +++ src/hg/hgGene/wikiTrack.c @@ -65,31 +65,31 @@ else if ((0 == plusCount) && (negativeCount > 0)) safecpy(bb->strand, sizeof(bb->strand), "-"); else safecpy(bb->strand, sizeof(bb->strand), " "); return bb; } static char *canonicalGene(struct sqlConnection *conn, char *id, char **protein) /* given UCSC gene id, find canonical UCSC gene id and protein if asked for */ { char *geneName; struct sqlResult *sr; char **row; char query[1024]; -safef(query, ArraySize(query), "SELECT e.transcript,e.protein FROM " +sqlSafef(query, ArraySize(query), "SELECT e.transcript,e.protein FROM " "knownCanonical e, knownIsoforms j " "WHERE e.clusterId = j.clusterId AND j.transcript ='%s'", id); sr = sqlGetResult(conn, query); row = sqlNextRow(sr); if (row) { geneName = cloneString(row[0]); if (protein) *protein = cloneString(row[1]); } else geneName = NULL; sqlFreeResult(&sr); @@ -108,31 +108,31 @@ char **row; struct bed *bed; struct bed *protein; struct bed *bedList = NULL; struct bed *proteinList = NULL; struct bed *clustered = NULL; char query[1024]; if (! (sqlTableExists(conn, "knownGene") && sqlTableExists(conn, "kgXref"))) { if (allIsoforms) *allIsoforms = NULL; return NULL; } -safef(query, ArraySize(query), +sqlSafef(query, ArraySize(query), "SELECT e.chrom,e.txStart,e.txEnd,e.alignID,e.strand " "FROM knownGene e, kgXref j WHERE e.alignID = j.kgID AND " "j.geneSymbol ='%s' ORDER BY e.chrom,e.txStart", geneSymbol); sr = sqlGetResult(conn, query); while ((row = sqlNextRow(sr)) != NULL) { AllocVar(bed); bed->chrom = cloneString(row[0]); bed->chromStart = sqlUnsigned(row[1]); bed->chromEnd = sqlUnsigned(row[2]); bed->name = cloneString(row[3]); safecpy(bed->strand, sizeof(bed->strand), row[4]); slAddHead(&bedList, bed); } @@ -233,47 +233,47 @@ newItem->chromStart = start; newItem->chromEnd = end; newItem->name = cloneString(name); newItem->score = score; safef(newItem->strand, sizeof(newItem->strand), "%s", strand); newItem->db = cloneString(db); newItem->owner = cloneString(owner); newItem->class = cloneString(class); newItem->color = cloneString(color); newItem->creationDate = cloneString("0"); newItem->lastModifiedDate = cloneString("0"); newItem->descriptionKey = cloneString("0"); newItem->id = 0; newItem->geneSymbol = cloneString(geneSymbol); -wikiTrackSaveToDbEscaped(wikiConn, newItem, WIKI_TRACK_TABLE, 1024); +wikiTrackSaveToDb(wikiConn, newItem, WIKI_TRACK_TABLE, 1024); int id = sqlLastAutoId(wikiConn); char descriptionKey[256]; /* when wikiKey is NULL, assign the default key of category:db-id, * else, it is the proper key */ if (wikiKey) safef(descriptionKey,ArraySize(descriptionKey), "%s", wikiKey); else safef(descriptionKey,ArraySize(descriptionKey), "%s:%s-%d", category, db, id); wikiTrackFree(&newItem); char query[1024]; -safef(query, ArraySize(query), "UPDATE %s set creationDate=now(),lastModifiedDate=now(),descriptionKey='%s' WHERE id='%d'", +sqlSafef(query, ArraySize(query), "UPDATE %s set creationDate=now(),lastModifiedDate=now(),descriptionKey='%s' WHERE id='%d'", WIKI_TRACK_TABLE, descriptionKey, id); sqlUpdate(wikiConn,query); wikiDisconnect(&wikiConn); return (id); } static struct wikiTrack *startNewItem(struct sqlConnection *conn, char *chrom, int itemStart, int itemEnd, char *name, char *strand, struct bed *clusterList, struct bed *allIsoforms, struct bed *allProteins) /* create the database item to get a new one started */ { char *userName = NULL; int score = 0;