080a160c7b9595d516c9c70e83689a09b60839d0 galt Mon Jun 3 12:16:53 2013 -0700 fix SQL Injection diff --git src/hg/hgGeneRing/hgGeneRing.c src/hg/hgGeneRing/hgGeneRing.c index 34821b2..140ec12 100644 --- src/hg/hgGeneRing/hgGeneRing.c +++ src/hg/hgGeneRing/hgGeneRing.c @@ -265,100 +265,100 @@ slAddHead(&list, el); } slReverse(&list); sqlFreeResult(&sr); return list; } void getGeneAliasesFromTable(char* table) /* read all the gene aliases from database, return bdgpGeneInfo-list */ { struct bdgpGeneInfo *result = NULL, *this=NULL; struct dyString *query=newDyString(512); char *sep = "where"; struct slName *sn = geneNames; -dyStringPrintf(query,"select * from %s",table); +sqlDyStringPrintf(query,"select * from %s",table); while(sn) { char * nm = sn->name; if (startsWith("CG",nm)) { - dyStringPrintf(query," %s bdgpName='%s'",sep,nm); + sqlDyStringPrintf(query," %s bdgpName='%s'",sep,nm); sep = "or"; } else if (!startsWith("FBgn",nm)) { - dyStringPrintf(query," %s symbol='%s'",sep,nm); + sqlDyStringPrintf(query," %s symbol='%s'",sep,nm); sep = "or"; } sn = sn->next; } //uglyf("<br>SQL=%s<br><br>\n",query->string); struct sqlConnection* conn = hAllocConn(); result = bdgpGeneInfoLoadByQuery(conn, query->string); for(this=result;this;this=this->next) { //uglyf("<br>adding %s=%s<br>\n",this->bdgpName,this->flyBaseId); // debug hashAdd(aliasHash,this->bdgpName,cloneString(this->flyBaseId)); //uglyf("<br>adding %s=%s<br>\n",this->symbol,this->flyBaseId); // debug hashAdd(aliasHash,this->symbol,cloneString(this->flyBaseId)); } // Mysterious crashes if I free this list: //bdgpGeneInfoFreeList(&result); hFreeConn(&conn); freeDyString(&query); } struct interaction *getGenesFromTable(char* table) /* read all the gene interactions from database, returns interaction-list */ { struct interaction *result = NULL; struct dyString *query=newDyString(512); char *sep = "where"; struct slName *sn = geneNames; getGeneAliasesFromTable("bdgpGeneInfo"); /* load aliases into hash */ -dyStringPrintf(query,"select * from %s",table); +sqlDyStringPrintf(query,"select * from %s",table); while(sn) { struct hashEl *hel = NULL, *hf=NULL; char * nm = sn->name; char * alias = NULL; if (!startsWith("FBgn",nm)) { if (hf = hashLookup(aliasHash,nm)) { alias = sn->name; //uglyf("<br>aliasing %s with %s<br>\n",nm,(char *)hf->val); // debug nm = (char *)hf->val; } } hel = hashStore(nodeHash,nm); if (!hel->val) /* add geneList elements to the hash */ { struct node *n; struct nodelist *nl; AllocVar(n); AllocVar(nl); n->name = cloneString(nm); n->alias = cloneString(alias); n->ring = TRUE; /* this is a special ring member */ nl->node = n; slAddHead(&allNodes,nl); /* all nodes going in hash are added to all-nodes list */ hel->val = n; } - dyStringPrintf(query," %s fromX='%s' or toY='%s'",sep,nm,nm); + sqlDyStringPrintf(query," %s fromX='%s' or toY='%s'",sep,nm,nm); sep = "or"; sn = sn->next; } //uglyf("<br>SQL=%s<br><br>\n",query->string); struct sqlConnection* conn = hAllocConn(); result = interactionLoadByQuery(conn, query->string); hFreeConn(&conn); freeDyString(&query); return result; } void getGeneList() /* hgGeneRing - Gene Network Browser. */ {