src/hg/hgSelect/hgSelect.c 080a160c7b9595d516c9c70e83689a09b60839d0

080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/hgSelect/hgSelect.c src/hg/hgSelect/hgSelect.c
index a542812..f1178ee 100644
--- src/hg/hgSelect/hgSelect.c
+++ src/hg/hgSelect/hgSelect.c
@@ -13,31 +13,31 @@
 errAbort(
     "%s\n"
     "hgSelect - select from genome tables, handling split tables and\n"
     "           bin column\n"
     "\n"
     "usage:\n"
     "   hgSelect [options] db table outFile\n"
     "\n"
     "Select rows from a table, handling select from split tables and dropping\n"
     "a bin column. \n"
     "\n"
     "Options:\n"
     "   -noRandom - Exclude *_random pseudo-chromsomes\n"
     "   -noHap - Exclude *_hap* pseudo-chromsomes\n"
     "   -where=where \n"
-    "   -joinTbls=tbls - comman seperated list other tables, if required\n"
+    "   -joinTbls=tbls - comman separated list other tables, if required\n"
     "    by -where\n"
     "   -verbose=n - 2 outputs SQL\n",
     msg);
 }
 
 /* command line */
 static struct optionSpec optionSpec[] = {
     {"noRandom", OPTION_BOOLEAN},
     {"noHap", OPTION_BOOLEAN},
     {"where", OPTION_STRING},
     {"joinTbls", OPTION_STRING},
     {NULL, 0}
 };
 
 static boolean noRandom;
@@ -77,52 +77,51 @@
 else
     dyStringAppend(query, " and");
 }
 
 static void addWhereClause(struct hTableInfo *tblInfo,
                            struct dyString *query)
 /* Build up where clause. If this isn't a split table and there are chrom
  * restrictions, include chrom restiction in the where. */
 {
 
 int clauseCnt = 0;
 if (where != NULL)
     {
     addWhereOrAnd(query, clauseCnt++);
     dyStringPrintf(query, " %s", where);
-    ;
     }
 if (!tblInfo->isSplit && noRandom)
     {
     addWhereOrAnd(query, clauseCnt++);
-    dyStringPrintf(query, " (%s not like \"%%__random\")", tblInfo->chromField);
+    sqlDyStringPrintf(query, " (%s not like \"%%__random\")", tblInfo->chromField);
     }
 if (!tblInfo->isSplit && noHap)
     {
     addWhereOrAnd(query, clauseCnt++);
-    dyStringPrintf(query, " (%s not like \"%%__hap%%\")", tblInfo->chromField);
+    sqlDyStringPrintf(query, " (%s not like \"%%__hap%%\")", tblInfo->chromField);
     }
 }
 
 static void selectFromTable(char *table, struct hTableInfo *tblInfo,
                             struct sqlConnection *conn, FILE *outFh)
 /* select from a table and output rows */
 {
 struct dyString *query = dyStringNew(0);
-dyStringPrintf(query, "SELECT %s.* FROM %s", table, table);
+sqlDyStringPrintf(query, "SELECT %s.* FROM %s", table, table);
 if (joinTbls != NULL)
-    dyStringPrintf(query, ",%s", joinTbls);
+    dyStringPrintf(query, ",%s", sqlCkIl(joinTbls));
 addWhereClause(tblInfo, query);
 verbose(2, "query: %s\n", query->string);
 
 struct sqlResult *sr = sqlGetResult(conn, query->string);
 int numCols = sqlCountColumns(sr);
 char **row;
 while ((row = sqlNextRow(sr)) != NULL)
     outputRow(outFh, tblInfo, numCols, row);
 sqlFreeResult(&sr);
 dyStringFree(&query);
 }
 
 static void selectFromSplitTable(char *db, char *table, struct hTableInfo *tblInfo,
                                  struct sqlConnection *conn, FILE *outFh)
 /* select from a split table */