src/hg/hgPcr/hgPcr.c 080a160c7b9595d516c9c70e83689a09b60839d0

080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/hgPcr/hgPcr.c src/hg/hgPcr/hgPcr.c
index bd51c60..20f0b15 100644
--- src/hg/hgPcr/hgPcr.c
+++ src/hg/hgPcr/hgPcr.c
@@ -61,31 +61,31 @@
    char *host;		/* Name of machine hosting server. */
    char *port;		/* Port that hosts server. */
    struct targetDb *targetDb;     /* All of the info about the target. */
    };
 
 struct pcrServer *getServerList()
 /* Get list of available servers. */
 {
 struct pcrServer *serverList = NULL, *server;
 struct sqlConnection *conn = hConnectCentral();
 struct sqlResult *sr;
 char **row;
 
 /* Do a little join to get data to fit into the pcrServer. */
 sr = sqlGetResult(conn, 
-   "select dbDb.name,dbDb.genome,dbDb.description,blatServers.host,"
+   "NOSQLINJ select dbDb.name,dbDb.genome,dbDb.description,blatServers.host,"
    "blatServers.port,dbDb.nibPath "
    "from dbDb,blatServers where "
    "dbDb.name = blatServers.db "
    "and blatServers.canPcr = 1 order by dbDb.orderKey" );
 while ((row = sqlNextRow(sr)) != NULL)
     {
     AllocVar(server);
     server->db = cloneString(row[0]);
     server->genome = cloneString(row[1]);
     server->description = cloneString(row[2]);
     server->host = cloneString(row[3]);
     server->port = cloneString(row[4]);
     server->seqDir = cloneString(row[5]);
     slAddHead(&serverList, server);
     }
@@ -108,56 +108,55 @@
         return server;
     }
 errAbort("Can't find a server for PCR database %s\n", db);
 return NULL;
 }
 
 struct targetPcrServer *getTargetServerList(char *db, char *name)
 /* Get list of available non-genomic-assembly target pcr servers associated 
  * with db (and name, if not NULL).  There may be none -- that's fine. */
 {
 struct targetPcrServer *serverList = NULL, *server;
 struct sqlConnection *conn = hConnectCentral();
 struct sqlConnection *conn2 = hAllocConn(db);
 struct sqlResult *sr;
 char **row;
-char query[2048];
+struct dyString *dy = dyStringNew(0);
 
-safef(query, sizeof(query),
+sqlDyStringPrintf(dy, 
       "select b.host, b.port, t.* from targetDb as t, blatServers as b "
-      "where b.db = t.name and t.db = '%s' and b.canPcr = 1 "
-      "%s%s%s"
-      "order by t.priority",
-      db,
-      isNotEmpty(name) ? "and t.name = '" : "",
-      isNotEmpty(name) ? name : "",
-      isNotEmpty(name) ? "' " : "");
-sr = sqlGetResult(conn, query);
+      "where b.db = t.name and t.db = '%s' and b.canPcr = 1 ",
+      db);
+if (isNotEmpty(name))
+    sqlDyStringPrintf(dy, "and t.name = '%s' ", name);
+dyStringAppend(dy, "order by t.priority");
+sr = sqlGetResult(conn, dy->string);
 while ((row = sqlNextRow(sr)) != NULL)
     {
     /* Keep this server only if its timestamp is newer than the tables
      * and file on which it depends. */
     struct targetDb *target = targetDbMaybeLoad(conn2, row+2);
     if (target != NULL)
 	{
 	AllocVar(server);
 	server->host = cloneString(row[0]);
 	server->port = cloneString(row[1]);
 	server->targetDb = target;
 	slAddHead(&serverList, server);
 	}
     }
+dyStringFree(&dy);
 sqlFreeResult(&sr);
 hDisconnectCentral(&conn);
 hFreeConn(&conn2);
 slReverse(&serverList);
 return serverList;
 }
 
 void doHelp()
 /* Print up help page */
 {
 puts(
 "In-Silico PCR searches a sequence database with a pair of\n"
 "PCR primers, using an indexing strategy for fast performance.\n"
 "\n"
 "<H3>Configuration Options</H3>\n"