080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/hgGeneRing/hgGeneRing.c src/hg/hgGeneRing/hgGeneRing.c
index 34821b2..140ec12 100644
--- src/hg/hgGeneRing/hgGeneRing.c
+++ src/hg/hgGeneRing/hgGeneRing.c
@@ -265,100 +265,100 @@
     slAddHead(&list, el);
     }
 slReverse(&list);
 sqlFreeResult(&sr);
 return list;
 }
 
 
 void getGeneAliasesFromTable(char* table)
 /* read all the gene aliases from database, return bdgpGeneInfo-list */
 {
 struct bdgpGeneInfo *result = NULL, *this=NULL;
 struct dyString *query=newDyString(512);
 char *sep = "where";
 struct slName *sn = geneNames;
-dyStringPrintf(query,"select * from %s",table);
+sqlDyStringPrintf(query,"select * from %s",table);
 while(sn)
     {
     char * nm = sn->name;
     if (startsWith("CG",nm))
 	{
-	dyStringPrintf(query," %s bdgpName='%s'",sep,nm);
+	sqlDyStringPrintf(query," %s bdgpName='%s'",sep,nm);
         sep = "or";
 	}
     else if (!startsWith("FBgn",nm))
 	{
-	dyStringPrintf(query," %s symbol='%s'",sep,nm);
+	sqlDyStringPrintf(query," %s symbol='%s'",sep,nm);
         sep = "or";
 	}
     sn = sn->next;
     }
 //uglyf("<br>SQL=%s<br><br>\n",query->string);
 struct sqlConnection* conn = hAllocConn();
 result = bdgpGeneInfoLoadByQuery(conn, query->string);
 for(this=result;this;this=this->next)
     {
     //uglyf("<br>adding %s=%s<br>\n",this->bdgpName,this->flyBaseId); // debug
     hashAdd(aliasHash,this->bdgpName,cloneString(this->flyBaseId));
     //uglyf("<br>adding %s=%s<br>\n",this->symbol,this->flyBaseId); // debug
     hashAdd(aliasHash,this->symbol,cloneString(this->flyBaseId));
     }
 // Mysterious crashes if I free this list:
 //bdgpGeneInfoFreeList(&result);
 hFreeConn(&conn);
 freeDyString(&query);
 }
 
 struct interaction *getGenesFromTable(char* table)
 /* read all the gene interactions from database, returns interaction-list */
 {
 struct interaction *result = NULL;
 struct dyString *query=newDyString(512);
 char *sep = "where";
 struct slName *sn = geneNames;
 getGeneAliasesFromTable("bdgpGeneInfo"); /* load aliases into hash */
-dyStringPrintf(query,"select * from %s",table);
+sqlDyStringPrintf(query,"select * from %s",table);
 while(sn)
     {
     struct hashEl *hel = NULL, *hf=NULL;
     char * nm = sn->name;
     char * alias = NULL;
     if (!startsWith("FBgn",nm))
 	{
 	if (hf = hashLookup(aliasHash,nm))
 	    {
 	    alias = sn->name;
 	    //uglyf("<br>aliasing %s with %s<br>\n",nm,(char *)hf->val); // debug
 	    nm = (char *)hf->val;
 	    }
 	}
     hel = hashStore(nodeHash,nm);
     if (!hel->val)                /* add geneList elements to the hash */
 	{
 	struct node *n;
 	struct nodelist *nl;
 	AllocVar(n);
 	AllocVar(nl);
 	n->name  = cloneString(nm);
 	n->alias = cloneString(alias);
 	n->ring = TRUE;          /* this is a special ring member */
 	nl->node = n;
 	slAddHead(&allNodes,nl); /* all nodes going in hash are added to all-nodes list */
 	hel->val = n;
 	}
-    dyStringPrintf(query," %s fromX='%s' or toY='%s'",sep,nm,nm);
+    sqlDyStringPrintf(query," %s fromX='%s' or toY='%s'",sep,nm,nm);
     sep = "or";
     sn = sn->next;
     }
 //uglyf("<br>SQL=%s<br><br>\n",query->string);
 struct sqlConnection* conn = hAllocConn();
 result = interactionLoadByQuery(conn, query->string);
 hFreeConn(&conn);
 freeDyString(&query);
 return result;
 }
 
 
 void getGeneList()
 /* hgGeneRing - Gene Network Browser. */
 {