080a160c7b9595d516c9c70e83689a09b60839d0 galt Mon Jun 3 12:16:53 2013 -0700 fix SQL Injection diff --git src/hg/hgGetAnn/hgGetAnn.c src/hg/hgGetAnn/hgGetAnn.c index ec81923..3353804 100644 --- src/hg/hgGetAnn/hgGetAnn.c +++ src/hg/hgGetAnn/hgGetAnn.c @@ -375,50 +375,50 @@ checkTableFields(tableInfo, FALSE); for (pos = posTab->posList; pos != NULL; pos = pos->next) rowCnt += outputByChromRange(db, outFh, tableInfo, pos); return rowCnt; } int outputByName(char *db, FILE *outFh, struct hTableInfo *tableInfo, char *realTable, struct hgPos *pos) /* Output results where there is a name and no chrom range hgPos. Actual table * name must be supplied, as hgPos does not have a chrom. */ { struct sqlConnection *conn = hAllocConn(db); struct sqlResult *sr; char query[512]; int rowCnt = 0; -safef(query, sizeof(query), "select * from %s where (%s = '%s')", +sqlSafef(query, sizeof(query), "select * from %s where (%s = '%s')", realTable, tableInfo->nameField, pos->name); sr = sqlGetResult(conn, query); rowCnt = outputRows(outFh, tableInfo, sr, NULL); sqlFreeResult(&sr); hFreeConn(&conn); return rowCnt; } int outputByPosition(char *db, FILE *outFh, struct hTableInfo *tableInfo, struct hgPos *pos) /* Output results where there is a name and chrom location hgPos. */ { struct sqlConnection *conn = hAllocConn(db); struct sqlResult *sr; char query[512]; int rowCnt = 0; -safef(query, sizeof(query), "select * from %s where (%s = '%s') and (%s = %d) and (%s = %d)", +sqlSafef(query, sizeof(query), "select * from %s where (%s = '%s') and (%s = %d) and (%s = %d)", getTableName(pos->chrom, tableInfo), tableInfo->chromField, pos->chrom, tableInfo->startField, pos->chromStart, tableInfo->endField, pos->chromEnd); sr = sqlGetResult(conn, query); rowCnt = outputRows(outFh, tableInfo, sr, pos); sqlFreeResult(&sr); hFreeConn(&conn); return rowCnt; } int outputTablePosHits(char *db, FILE *outFh, struct hTableInfo *tableInfo, struct hgPos *pos) /* Output results for when query matches requested table. */