src/hg/hgGeneBands/hgGeneBands.c 080a160c7b9595d516c9c70e83689a09b60839d0

080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/hgGeneBands/hgGeneBands.c src/hg/hgGeneBands/hgGeneBands.c
index 5690f15..1a1e729 100644
--- src/hg/hgGeneBands/hgGeneBands.c
+++ src/hg/hgGeneBands/hgGeneBands.c
@@ -17,54 +17,54 @@
 errAbort(
     "hgGeneBands - print genes with band info \n"
     "usage:\n"
     "    hgGeneBands database chrom \n");
 }
 
 char *getAltName(char *name)
 /* query refLink */
 {
 struct sqlConnection *conn = hAllocConn(database);
 char query[512];
 struct sqlResult *sr;
 char **row;
 char *altName = needMem(32);
 
-safef(query, sizeof(query), "select name from refLink where mrnaAcc = '%s' ", name);
+sqlSafef(query, sizeof(query), "select name from refLink where mrnaAcc = '%s' ", name);
 sr = sqlGetResult(conn, query);
 row = sqlNextRow(sr);
 if (row == NULL) 
     strcpy(altName, "n/a");
 else
     strcpy(altName, row[0]);
 
 sqlFreeResult(&sr);
 hFreeConn(&conn);
 return altName;
 }
 
 struct genePred *readGenes(char *chrom)
 /* Slurp in the genes for one chrom */
 {
 struct sqlConnection *conn = hAllocConn(database);
 struct genePred *list=NULL, *el;
 char query[512];
 struct sqlResult *sr;
 char **row;
 int count = 0;
 
-safef(query, sizeof(query), "select * from %s where chrom='%s' ", geneTable, chrom);
+sqlSafef(query, sizeof(query), "select * from %s where chrom='%s' ", geneTable, chrom);
 sr = sqlGetResult(conn, query);
 while ((row = sqlNextRow(sr)) != NULL)
     {
     el = genePredLoad(row);
     slAddHead(&list,el);
     count++;
     }
 sqlFreeResult(&sr);
 slReverse(&list);  /* could possibly skip if it made much difference in speed. */
 hFreeConn(&conn);
 verbose(1, "Count of genes found = %d\n\n", count);
 return list;
 }
 
 
@@ -80,41 +80,41 @@
 struct sqlConnection *conn = NULL;
 char *altName = NULL;
 
 genes = readGenes(chromName);
 
 conn = hAllocConn();
 
 for (gene = genes; gene != NULL; gene = gene->next)
     {
     verbose(4, "gene %d = %s\n----------\n", geneCount, gene->name);
     geneCount++;
 
     start = gene->txStart;
     end = gene->txEnd;
 
-    safef(query1, sizeof(query1), 
+    sqlSafef(query1, sizeof(query1), 
         "select name from cytoBand where chrom = '%s' and chromStart <= %d and chromEnd >= %d", chromName, start, start);
     sr = sqlGetResult(conn, query1);
     // check for zero results
     // should actually just be one row
     while ((row = sqlNextRow(sr)) != NULL)
         {
         sprintf(name1, "%s", row[0]);
 	}
 
-    safef(query2, sizeof(query2), 
+    sqlSafef(query2, sizeof(query2), 
         "select name from cytoBand where chrom = '%s' and chromStart <= %d and chromEnd >= %d", chromName, end, end);
     sr = sqlGetResult(conn, query2);
     // check for zero results
     // should actually just be one row
     while ((row = sqlNextRow(sr)) != NULL)
         {
         sprintf(name2, "%s", row[0]);
 	}
 
     altName = getAltName(gene->name);
     if (sameString(name1, name2))
         printf("%s %s %d %d %s%s\n", gene->name, altName, start, end, skipChr(chromName), name1);
     else
         printf("%s %s %d %d %s%s %s%s\n", gene->name, altName, start, end, skipChr(chromName), name1, skipChr(chromName), name2);
     }