080a160c7b9595d516c9c70e83689a09b60839d0 galt Mon Jun 3 12:16:53 2013 -0700 fix SQL Injection diff --git src/hg/hgText/hgText.c src/hg/hgText/hgText.c index 5231855..b9b2602 100644 --- src/hg/hgText/hgText.c +++ src/hg/hgText/hgText.c @@ -971,31 +971,31 @@ /* separate tables in db into positional and nonpositional lists, * with db added as a prefix to each name. */ { struct hash *posTableHash = newHash(7); struct hashEl *posTableList; struct hash *nonposTableHash = newHash(7); struct hashEl *nonposTableList; struct sqlResult *sr; char **row; char query[256]; char name[128]; char chrom[32]; char post[64]; char fullName[128]; -strcpy(query, "SHOW TABLES"); +strcpy(query, "NOSQLINJ SHOW TABLES"); sr = sqlGetResult(conn, query); while((row = sqlNextRow(sr)) != NULL) { if (excludeTable(row[0])) continue; /* if table name is of the form, chr*_random_* or chr*_*: */ if ( (sscanf(row[0], "chr%32[^_]_random_%64s", chrom, post) == 2) || (sscanf(row[0], "chr%32[^_]_hla_hap1_%64s", chrom, post) == 2) || (sscanf(row[0], "chr%32[^_]_hla_hap2_%64s", chrom, post) == 2) || (sscanf(row[0], "chr%32[^_]_%64s", chrom, post) == 2)) { snprintf(name, sizeof(name), "chrN_%s", post); // If a chrN_ table is already in the (positional) hash, // don't bother looking up its fields. @@ -1296,31 +1296,31 @@ puts(""); } void filterOptionsTableDb(char *fullTblName, char *db, char *tableId, boolean filterWiggle) /* Print out an HTML table with form inputs for constraints on table fields */ { struct sqlConnection *conn = hAllocOrConnect(db); struct sqlResult *sr; char **row; boolean gotFirst; char query[256]; char name[128]; char *newVal; -snprintf(query, sizeof(query), "DESCRIBE %s", fullTblName); +sqlSafef(query, sizeof(query), "DESCRIBE %s", fullTblName); sr = sqlGetResult(conn, query); puts("
\n"); puts("\n"); gotFirst = FALSE; if (filterWiggle) { printf("
data value \n"); puts(" is \n"); snprintf(name, sizeof(name), "cmp%s_wigDataValue", tableId); cgiMakeDropList(name, cmpOpMenu, cmpOpMenuSize, cgiUsualString(name, cmpOpMenu[0])); puts("\n"); newVal = ""; snprintf(name, sizeof(name), "pat%s_wigDataValue", tableId); @@ -1955,31 +1955,31 @@ /* Add CGI variables for filtering constraints, so they will be passed to * the next page. Also parse the constraints and do a null query with them * in order to catch any syntax errors sooner rather than later. */ { struct cgiVar *current; char *constraints = constrainFields(tableId); char varName[128]; if ((constraints != NULL) && (constraints[0] != 0) && (! sameString(customTrackPseudoDb, db))) { struct sqlConnection *conn = hAllocOrConnect(db); struct sqlResult *sr; struct dyString *query = newDyString(512); // Null query will cause errAbort if there's a syntax error, no-op if OK. - dyStringPrintf(query, "SELECT 1 FROM %s WHERE 0 AND %s", + sqlDyStringPrintf(query, "SELECT 1 FROM %s WHERE 0 AND %s", fullTblName, constraints); sr = sqlGetResult(conn, query->string); dyStringFree(&query); sqlFreeResult(&sr); hFreeOrDisconnect(&conn); } if (tableId == NULL) tableId = ""; for (current = cgiVarList(); current != NULL; current = current->next) { /* Look for pattern variable associated with each field. */ snprintf(varName, sizeof(varName), "pat%s_", tableId); if (startsWith(varName, current->name)) cgiMakeHiddenVar(current->name, current->val); @@ -2632,31 +2632,31 @@ { field = newSlName("blockCount"); slAddHead(&fieldList, field); field = newSlName("blockSizes"); slAddHead(&fieldList, field); field = newSlName("chromStarts"); slAddHead(&fieldList, field); } } else { struct sqlConnection *conn = hAllocOrConnect(db); struct sqlResult *sr; char **row; char query[256]; - snprintf(query, sizeof(query), "DESCRIBE %s", fullTableName); + sqlSafef(query, sizeof(query), "DESCRIBE %s", fullTableName); sr = sqlGetResult(conn, query); while ((row = sqlNextRow(sr)) != NULL) { field = newSlName(row[0]); slAddHead(&fieldList, field); } sqlFreeResult(&sr); hFreeOrDisconnect(&conn); } slReverse(&fieldList); return(fieldList); } struct slName *getChosenFields(boolean allFields) /* Return a list of chosen field names. */ @@ -2907,31 +2907,31 @@ boolean showTableDescriptions(struct sqlConnection *conn, char *table) /* Display autoSql definition and gbdDescriptions link for table, * if available. */ { boolean gotInfo = FALSE; static char *asTableName = "tableDescriptions"; if (sqlTableExists(conn, asTableName)) { struct sqlResult *sr = NULL; struct tableDescriptions *asi = NULL; char query[512]; char **row = NULL; - safef(query, sizeof(query), "select * from %s where tableName = '%s'", + sqlSafef(query, sizeof(query), "select * from %s where tableName = '%s'", asTableName, table); sr = sqlGetResult(conn, query); if ((row = sqlNextRow(sr)) != NULL) { asi = tableDescriptionsLoad(row); gotInfo = TRUE; if (asi->autoSqlDef != NULL && asi->autoSqlDef[0] != 0) { puts("

"); printf("AutoSql definition of %s:

\n", table); puts("
");
 	    puts(asi->autoSqlDef);
 	    puts("
"); } if (asi->gbdAnchor != NULL && asi->gbdAnchor[0] != 0) @@ -2967,31 +2967,31 @@ if (sameString(table, "mrna")) { struct slName *slNew = newSlName(table); slFreeList(&tableList); tableList = slNew; } #endif /* NEEDED_UNTIL_GB_CDNA_INFO_CHANGE */ for (tPtr=tableList; tPtr != NULL; tPtr=tPtr->next) { count += sqlTableSize(conn, tPtr->name); } printf("

Table %s has %d rows total.
\n", table, count); if (count > 0) { - dyStringPrintf(query, "select * from %s limit %d", tableList->name, n); + sqlDyStringPrintf(query, "select * from %s limit %d", tableList->name, n); sr = sqlGetResult(conn, query->string); printf ("Example rows of table %s (not necessarily from current position!):
\n", table); puts("

");
     numberColumns = sqlCountColumns(sr);
     printf("#");
     for (i = 0; i < numberColumns; i++)
 	{
 	printf("%s\t", sqlFieldName(sr));
 	}
     printf("\n");
     while ((row = sqlNextRow(sr)) != NULL)
 	{
 	for (i = 0; i < numberColumns; i++)
 	    printf("%s\t", row[i]);
@@ -3002,31 +3002,31 @@
 }
 
 
 void descTable(boolean histButtons)
 /* Print out an HTML table showing table fields and types, and optionally
  * offering histograms for the text/enum fields. */
 {
 char *db = getTableDb();
 struct sqlConnection *conn = hAllocOrConnect(db);
 struct sqlResult *sr;
 char **row;
 boolean tooBig = (sqlTableSize(conn, fullTableName) > TOO_BIG_FOR_HISTO);
 char button[64];
 char query[256];
 
-safef(query, sizeof(query), "desc %s", fullTableName);
+sqlSafef(query, sizeof(query), "describe %s", fullTableName);
 sr = sqlGetResult(conn, query);
 // For some reason BORDER=1 does not work in our web.c nested table scheme.
 // So use web.c's trick of using an enclosing table to provide a border.
 puts("" "\n"
      "
");
 puts("");
 printf(" ");
 histButtons = (histButtons && ! tooBig);
 if (histButtons)
     printf(" ");
 puts("");
 while ((row = sqlNextRow(sr)) != NULL)
     {
     printf("", row[0], row[1]);
     if (histButtons)
@@ -3206,54 +3206,54 @@
     {
     dyStringAppend(fieldSpec, ",");
     dyStringAppend(fieldSpec, hti->nameField);
     }
 
 conn = hAllocOrConnect(db);
 gotResults = FALSE;
 if (tableIsSplit)
     {
     for (chromPtr=chromList;  chromPtr != NULL;  chromPtr = chromPtr->next)
 	{
 	getFullTableName(fullTableName, chromPtr->name, table);
 	if (! sqlTableExists(conn, fullTableName))
 	    continue;
 	dyStringClear(query);
-	dyStringPrintf(query, "SELECT %s FROM %s",
+	sqlDyStringPrintf(query, "SELECT %s FROM %s",
 		       fieldSpec->string, fullTableName);
 	if ((! allGenome) && tableIsPositional)
 	    {
-	    dyStringPrintf(query, " WHERE %s < %d AND %s > %d",
+	    sqlDyStringPrintf(query, " WHERE %s < %d AND %s > %d",
 			   hti->startField, winEnd, hti->endField, winStart);
 	    if ((constraints != NULL) && (constraints[0] != 0))
 		dyStringPrintf(query, " AND %s", constraints);
 	    }
 	else if ((constraints != NULL) && (constraints[0] != 0))
 	    dyStringPrintf(query, " WHERE %s", constraints);
 	sr = sqlGetResult(conn, query->string);
 	gotResults = printTabbedResults(sr, gotResults);
 	sqlFreeResult(&sr);
 	}
     }
 else
     {
     dyStringClear(query);
-    dyStringPrintf(query, "SELECT %s FROM %s",
+    sqlDyStringPrintf(query, "SELECT %s FROM %s",
 		   fieldSpec->string, fullTableName);
     if ((! allGenome) && tableIsPositional)
 	{
-	dyStringPrintf(query, " WHERE %s < %d AND %s > %d",
+	sqlDyStringPrintf(query, " WHERE %s < %d AND %s > %d",
 		       hti->startField, winEnd, hti->endField, winStart);
 	if (! sameString("", hti->chromField))
 	    dyStringPrintf(query, " AND %s = \'%s\'",
 			   hti->chromField, chrom);
 	if ((constraints != NULL) && (constraints[0] != 0))
 	    dyStringPrintf(query, " AND %s", constraints);
 	}
     else if ((constraints != NULL) && (constraints[0] != 0))
 	dyStringPrintf(query, " WHERE %s", constraints);
     sr = sqlGetResult(conn, query->string);
     gotResults = printTabbedResults(sr, gotResults);
     sqlFreeResult(&sr);
     }
 if (! gotResults)
     printf("\n# No results returned from query.\n\n");
@@ -4095,31 +4095,31 @@
 
 puts("
");
 puts(""
      "Help
");
 printf("
 Your query on %s: 
\n", table);
 constraints = constrainFields(NULL);
 if ((constraints != NULL) && (constraints[0] == 0))
     constraints = NULL;
 
 if (constraints != NULL)
     printf("Constraints on %s: %s
\n", table, constraints);
 else
     printf("No constraints selected on fields of %s.
\n", table);
 
 dyStringClear(query);
-dyStringPrintf(query, "select count(*) from %s%s%s", table,
+sqlDyStringPrintf(query, "select count(*) from %s%s%-s", table,
 	       (constraints ? " where "   : ""),
 	       (constraints ? constraints : ""));
 conn = hAllocOrConnect(db);
 numRows = sqlQuickNum(conn, query->string);
 hFreeOrDisconnect(&conn);
 printf("Number of rows in %s%s: %d
\n", table,
        constraints ? " matching constraints" : "", numRows);
 
 descForm();
 webEnd();
 }
 
 struct slName *getOrderedChromList()
 /* Put the _random's at the end, and break them into two lines. */
 /* Also, put the alpha-name chroms after the numeric-name chroms. */
@@ -4857,38 +4857,38 @@
 	    wild = slNameNew(word);
 	    slAddHead(&wildNames, wild);
 	    }
 	}
     }
 
 conn = hAllocOrConnect(db);
 for (chromPtr=chromList;  chromPtr != NULL;  chromPtr=chromPtr->next)
     {
     getFullTableName(fullTableName, chromPtr->name, table);
     if (! sqlTableExists(conn, fullTableName))
 	continue;
     dyStringClear(query);
     if (isBatch() && hti->nameField[0] != 0)
 	{
-	dyStringPrintf(query, "SELECT %s,%s FROM %s", field, hti->nameField,
+	sqlDyStringPrintf(query, "SELECT %s,%s FROM %s", field, hti->nameField,
 		       fullTableName);
 	}
     else
-	dyStringPrintf(query, "SELECT %s FROM %s", field, fullTableName);
+	sqlDyStringPrintf(query, "SELECT %s FROM %s", field, fullTableName);
     if (tableIsPositional)
 	{
-	dyStringPrintf(query, " WHERE %s < %d AND %s > %d",
+	sqlDyStringPrintf(query, " WHERE %s < %d AND %s > %d",
 		       hti->startField, winEnd, hti->endField, winStart);
 	if (! sameString("", hti->chromField))
 	    dyStringPrintf(query, " AND %s = \'%s\'",
 			   hti->chromField, chrom);
 	if ((constraints != NULL) && (constraints[0] != 0))
 	    dyStringPrintf(query, " AND %s", constraints);
 	}
     else if (constraints)
 	dyStringPrintf(query, " WHERE %s", constraints);
     sr = sqlGetResult(conn, query->string);
     // make a hash of field values to frequencies,
     // filtering with user keys if specified:
     while ((row = sqlNextRow(sr)) != NULL)
 	{
 	if ((! isBatch()) || (hti->nameField[0] == 0) ||

 name SQL typetext value histogram
 %s %s