src/hg/hgLogin/gbMembers.c 080a160c7b9595d516c9c70e83689a09b60839d0

080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/hgLogin/gbMembers.c src/hg/hgLogin/gbMembers.c
index 87d5b6d..29f3295 100644
--- src/hg/hgLogin/gbMembers.c
+++ src/hg/hgLogin/gbMembers.c
@@ -44,82 +44,39 @@
 while ((row = sqlNextRow(sr)) != NULL)
     {
     el = gbMembersLoad(row);
     slAddHead(&list, el);
     }
 slReverse(&list);
 sqlFreeResult(&sr);
 return list;
 }
 
 void gbMembersSaveToDb(struct sqlConnection *conn, struct gbMembers *el, char *tableName, int updateSize)
 /* Save gbMembers as a row to the table specified by tableName. 
  * As blob fields may be arbitrary size updateSize specifies the approx size
  * of a string that would contain the entire query. Arrays of native types are
  * converted to comma separated strings and loaded as such, User defined types are
- * inserted as NULL. Note that strings must be escaped to allow insertion into the database.
- * For example "autosql's features include" --> "autosql\'s features include" 
- * If worried about this use gbMembersSaveToDbEscaped() */
+ * inserted as NULL. Strings are automatically escaped to allow insertion into the database. */
 {
 struct dyString *update = newDyString(updateSize);
-dyStringPrintf(update, "insert into %s values ( %u,'%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s')", 
+sqlDyStringPrintf(update, "insert into %s values ( %u,'%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s')", 
 	tableName,  el->idx,  el->userName,  el->realName,  el->password,  el->email,  el->lastUse,  el->newPassword,  el->newPasswordExpire,  el->dateActivated,  el->emailToken,  el->emailTokenExpires,  el->passwordChangeRequired,  el->accountActivated);
 sqlUpdate(conn, update->string);
 freeDyString(&update);
 }
 
-void gbMembersSaveToDbEscaped(struct sqlConnection *conn, struct gbMembers *el, char *tableName, int updateSize)
-/* Save gbMembers as a row to the table specified by tableName. 
- * As blob fields may be arbitrary size updateSize specifies the approx size.
- * of a string that would contain the entire query. Automatically 
- * escapes all simple strings (not arrays of string) but may be slower than gbMembersSaveToDb().
- * For example automatically copies and converts: 
- * "autosql's features include" --> "autosql\'s features include" 
- * before inserting into database. */ 
-{
-struct dyString *update = newDyString(updateSize);
-char  *userName, *realName, *password, *email, *lastUse, *newPassword, *newPasswordExpire, *dateActivated, *emailToken, *emailTokenExpires, *passwordChangeRequired, *accountActivated;
-userName = sqlEscapeString(el->userName);
-realName = sqlEscapeString(el->realName);
-password = sqlEscapeString(el->password);
-email = sqlEscapeString(el->email);
-lastUse = sqlEscapeString(el->lastUse);
-newPassword = sqlEscapeString(el->newPassword);
-newPasswordExpire = sqlEscapeString(el->newPasswordExpire);
-dateActivated = sqlEscapeString(el->dateActivated);
-emailToken = sqlEscapeString(el->emailToken);
-emailTokenExpires = sqlEscapeString(el->emailTokenExpires);
-passwordChangeRequired = sqlEscapeString(el->passwordChangeRequired);
-accountActivated = sqlEscapeString(el->accountActivated);
-
-dyStringPrintf(update, "insert into %s values ( %u,'%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s')", 
-	tableName,  el->idx,  userName,  realName,  password,  email,  lastUse,  newPassword,  newPasswordExpire,  dateActivated,  emailToken,  emailTokenExpires,  passwordChangeRequired,  accountActivated);
-sqlUpdate(conn, update->string);
-freeDyString(&update);
-freez(&userName);
-freez(&realName);
-freez(&password);
-freez(&email);
-freez(&lastUse);
-freez(&newPassword);
-freez(&newPasswordExpire);
-freez(&dateActivated);
-freez(&emailToken);
-freez(&emailTokenExpires);
-freez(&passwordChangeRequired);
-freez(&accountActivated);
-}
 
 struct gbMembers *gbMembersLoad(char **row)
 /* Load a gbMembers from row fetched with select * from gbMembers
  * from database.  Dispose of this with gbMembersFree(). */
 {
 struct gbMembers *ret;
 
 AllocVar(ret);
 ret->idx = sqlUnsigned(row[0]);
 ret->userName = cloneString(row[1]);
 ret->realName = cloneString(row[2]);
 ret->password = cloneString(row[3]);
 ret->email = cloneString(row[4]);
 ret->lastUse = cloneString(row[5]);
 ret->newPassword = cloneString(row[6]);