src/hg/hgTables/hgTables.c 080a160c7b9595d516c9c70e83689a09b60839d0

080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/hgTables/hgTables.c src/hg/hgTables/hgTables.c
index fa49659..2623b45 100644
--- src/hg/hgTables/hgTables.c
+++ src/hg/hgTables/hgTables.c
@@ -317,31 +317,31 @@
 int dif;
 dif = chrStrippedCmp(a->chrom, b->chrom);
 if (dif == 0)
     dif = a->start - b->start;
 return dif;
 }
 
 static struct region *getRegionsFullGenomeLocal()
 /* get all the chrom ranges for a local database */
 {
 struct sqlConnection *conn = hAllocConn(database);
 struct sqlResult *sr;
 char **row;
 struct region *region, *regionList = NULL;
 
-sr = sqlGetResult(conn, "select chrom,size from chromInfo");
+sr = sqlGetResult(conn, "NOSQLINJ select chrom,size from chromInfo");
 while ((row = sqlNextRow(sr)) != NULL)
     {
     AllocVar(region);
     region->chrom = cloneString(row[0]);
     region->end = sqlUnsigned(row[1]);
     region->fullChrom = TRUE;
     region->name = NULL;		/* unused for full chrom */
     slAddHead(&regionList, region);
     }
 slSort(&regionList, regionCmp);
 sqlFreeResult(&sr);
 hFreeConn(&conn);
 return regionList;
 }
 
@@ -369,31 +369,31 @@
 /* Get a region list that covers all of each chromosome. */
 {
 if (trackHubDatabase(database))
     return getRegionsFullGenomeHub();
 return getRegionsFullGenomeLocal();
 }
 
 struct region *getEncodeRegions()
 /* Get encode regions from encodeRegions table. */
 {
 struct sqlConnection *conn = hAllocConn(database);
 struct sqlResult *sr;
 char **row;
 struct region *list = NULL, *region;
 
-sr = sqlGetResult(conn, "select chrom,chromStart,chromEnd,name from encodeRegions order by name desc");
+sr = sqlGetResult(conn, "NOSQLINJ select chrom,chromStart,chromEnd,name from encodeRegions order by name desc");
 while ((row = sqlNextRow(sr)) != NULL)
     {
     AllocVar(region);
     region->chrom = cloneString(row[0]);
     region->start = atoi(row[1]);
     region->end = atoi(row[2]);
     region->name = cloneString(row[3]);	/* encode region name	*/
     slAddHead(&list, region);
     }
 sqlFreeResult(&sr);
 hFreeConn(&conn);
 return list;
 }
 
 boolean searchPosition(char *range, struct region *region)
@@ -516,31 +516,31 @@
 	}
     if (region->fullChrom) /* Full chromosome. */
 	{
 	sr = hExtendedChromQuery(conn, table, region->chrom,
 		extraWhere, FALSE, fields, NULL);
 	}
     else
 	{
 	sr = hExtendedRangeQuery(conn, table, region->chrom, region->start, region->end,
 		extraWhere, TRUE, fields, NULL);
 	}
     }
 else
     {
     struct dyString *query = dyStringNew(0);
-    dyStringPrintf(query, "select %s from %s", fields, table);
+    sqlDyStringPrintf(query, "select %-s from %s", sqlCkIl(fields), table);
     if (extraWhere)
          {
 	 dyStringAppend(query, " where ");
 	 dyStringAppend(query, extraWhere);
 	 }
     sr = sqlGetResult(conn, query->string);
     dyStringFree(&query);
     }
 return sr;
 }
 
 char *getDbTable(char *db, char *table)
 /* If table already contains its real database as a dot-prefix, then
  * return a clone of table; otherwise alloc and return db.table . */
 {
@@ -702,31 +702,31 @@
 struct hTableInfo *hti = maybeGetHti(db, table, conn);
 hFreeConn(&conn);
 return hti;
 }
 
 
 boolean isPositional(char *db, char *table)
 /* Return TRUE if it looks to be a positional table. */
 {
 boolean result = FALSE;
 struct sqlConnection *conn = hAllocConn(db);
 if (sqlTableExists(conn, "chromInfo"))
     {
     char chromName[64];
     struct hTableInfo *hti;
-    sqlQuickQuery(conn, "select chrom from chromInfo limit 1",
+    sqlQuickQuery(conn, "NOSQLINJ select chrom from chromInfo limit 1",
 	chromName, sizeof(chromName));
     hti = hFindTableInfo(db, chromName, table);
     if (hti != NULL)
 	{
 	result = htiIsPositional(hti);
 	}
     }
 hFreeConn(&conn);
 return result;
 }
 
 boolean isSqlStringType(char *type)
 /* Return TRUE if type is a stringish SQL type. */
 {
 return strstr(type, "char") || strstr(type, "text")
@@ -788,31 +788,31 @@
     {
     next = el->next;
     sqlFieldTypeFree(&el);
     }
 *pList = NULL;
 }
 
 struct sqlFieldType *sqlListFieldsAndTypes(struct sqlConnection *conn, char *table)
 /* Get list of fields including their names and types.  The type currently is just
  * a MySQL type string. */
 {
 struct sqlFieldType *ft, *list = NULL;
 char query[512];
 struct sqlResult *sr;
 char **row;
-safef(query, sizeof(query), "describe %s", table);
+sqlSafef(query, sizeof(query), "describe %s", table);
 sr = sqlGetResult(conn, query);
 while ((row = sqlNextRow(sr)) != NULL)
     {
     ft = sqlFieldTypeNew(row[0], row[1]);
     slAddHead(&list, ft);
     }
 sqlFreeResult(&sr);
 slReverse(&list);
 return list;
 }
 
 
 static struct trackDb *findTrackInGroup(char *name, struct trackDb *trackList,
 	struct grp *group)
 /* Find named track that is in group (NULL for any group).
@@ -1283,53 +1283,53 @@
 int fieldCount;
 char *idField;
 boolean showItemRgb = FALSE;
 int itemRgbCol = -1;	/*	-1 means not found	*/
 boolean printedColumns = FALSE;
 struct trackDb *tdb = findTdbForTable(db, curTrack, table, ctLookupName);
 
 hti = getHti(db, table, conn);
 idField = getIdField(db, curTrack, table, hti);
 
 showItemRgb=bedItemRgb(tdb);	/* should we expect itemRgb instead of "reserved" */
 
 /* If they didn't pass in a field list assume they want all fields. */
 if (fields != NULL)
     {
-    dyStringAppend(fieldSpec, fields);
+    dyStringAppend(fieldSpec, sqlCkIl(fields));
     fieldCount = countChars(fields, ',') + 1;
     }
 else
     {
     dyStringAppend(fieldSpec, "*");
     fieldCount = countTableColumns(conn, table);
     }
 
 /* If can find id field for table then get
  * uploaded list of identifiers, create identifier hash
  * and add identifier column to end of result set. */
 char *identifierFilter = NULL;
 if (idField != NULL)
     {
     idHash = identifierHash(db, table);
     if (idHash != NULL)
 	{
 	identifierFilter = identifierWhereClause(idField, idHash);
 	if (isEmpty(identifierFilter))
 	    {
 	    dyStringAppendC(fieldSpec, ',');
-	    dyStringAppend(fieldSpec, idField);
+	    dyStringAppend(fieldSpec, sqlCkId(idField));
 	    }
 	}
     }
 isPositional = htiIsPositional(hti);
 
 /* Loop through each region. */
 for (region = regionList; region != NULL; region = region->next)
     {
     struct sqlResult *sr;
     char **row;
     int colIx, lastCol = fieldCount-1;
     char *filter = filterClause(dbVarName, tableVarName, region->chrom, identifierFilter);
 
     sr = regionQuery(conn, table, fieldSpec->string,
     	region, isPositional, filter);
@@ -1578,43 +1578,43 @@
 {
 cartRemove(cart, "hgta_metaStatus");
 cartRemove(cart, "hgta_metaVersion");
 cartRemove(cart, "hgta_metaDatabases");
 cartRemove(cart, "hgta_metaTables");
 }
 
 void doMetaData(struct sqlConnection *conn)
 /* Get meta data for a database. */
 {
 puts("Content-Type:text/plain\n");
 char *query = "";
 if (cartVarExists(cart, hgtaMetaStatus))
     {
     printf("Table status for database %s\n", database);
-    query = "SHOW TABLE STATUS";
+    query = "NOSQLINJ SHOW TABLE STATUS";
     }
 else if (cartVarExists(cart, hgtaMetaVersion))
     {
-    query = "SELECT @@VERSION";
+    query = "NOSQLINJ SELECT @@VERSION";
     }
 else if (cartVarExists(cart, hgtaMetaDatabases))
     {
-    query = "SHOW DATABASES";
+    query = "NOSQLINJ SHOW DATABASES";
     }
 else if (cartVarExists(cart, hgtaMetaTables))
     {
-    query = "SHOW TABLES";
+    query = "NOSQLINJ SHOW TABLES";
     }
 struct sqlResult *sr;
 char **row;
 char *sep="";
 int c = 0;
 int numCols = 0;
 sr = sqlGetResult(conn, query);
 numCols = sqlCountColumns(sr);
 char *field;
 while ((field = sqlFieldName(sr)) != NULL)
     printf("%s \t", field);
 printf("\n");
 while ((row = sqlNextRow(sr)) != NULL)
     {
     sep="";