080a160c7b9595d516c9c70e83689a09b60839d0 galt Mon Jun 3 12:16:53 2013 -0700 fix SQL Injection diff --git src/hg/hgText/hgText.c src/hg/hgText/hgText.c index 5231855..b9b2602 100644 --- src/hg/hgText/hgText.c +++ src/hg/hgText/hgText.c @@ -971,31 +971,31 @@ /* separate tables in db into positional and nonpositional lists, * with db added as a prefix to each name. */ { struct hash *posTableHash = newHash(7); struct hashEl *posTableList; struct hash *nonposTableHash = newHash(7); struct hashEl *nonposTableList; struct sqlResult *sr; char **row; char query[256]; char name[128]; char chrom[32]; char post[64]; char fullName[128]; -strcpy(query, "SHOW TABLES"); +strcpy(query, "NOSQLINJ SHOW TABLES"); sr = sqlGetResult(conn, query); while((row = sqlNextRow(sr)) != NULL) { if (excludeTable(row[0])) continue; /* if table name is of the form, chr*_random_* or chr*_*: */ if ( (sscanf(row[0], "chr%32[^_]_random_%64s", chrom, post) == 2) || (sscanf(row[0], "chr%32[^_]_hla_hap1_%64s", chrom, post) == 2) || (sscanf(row[0], "chr%32[^_]_hla_hap2_%64s", chrom, post) == 2) || (sscanf(row[0], "chr%32[^_]_%64s", chrom, post) == 2)) { snprintf(name, sizeof(name), "chrN_%s", post); // If a chrN_ table is already in the (positional) hash, // don't bother looking up its fields. @@ -1296,31 +1296,31 @@ puts("</TABLE>"); } void filterOptionsTableDb(char *fullTblName, char *db, char *tableId, boolean filterWiggle) /* Print out an HTML table with form inputs for constraints on table fields */ { struct sqlConnection *conn = hAllocOrConnect(db); struct sqlResult *sr; char **row; boolean gotFirst; char query[256]; char name[128]; char *newVal; -snprintf(query, sizeof(query), "DESCRIBE %s", fullTblName); +sqlSafef(query, sizeof(query), "DESCRIBE %s", fullTblName); sr = sqlGetResult(conn, query); puts("<TABLE><TR><TD>\n"); puts("<TABLE>\n"); gotFirst = FALSE; if (filterWiggle) { printf("<TR VALIGN=BOTTOM><TD> data value </TD><TD>\n"); puts(" is \n"); snprintf(name, sizeof(name), "cmp%s_wigDataValue", tableId); cgiMakeDropList(name, cmpOpMenu, cmpOpMenuSize, cgiUsualString(name, cmpOpMenu[0])); puts("</TD><TD>\n"); newVal = ""; snprintf(name, sizeof(name), "pat%s_wigDataValue", tableId); @@ -1955,31 +1955,31 @@ /* Add CGI variables for filtering constraints, so they will be passed to * the next page. Also parse the constraints and do a null query with them * in order to catch any syntax errors sooner rather than later. */ { struct cgiVar *current; char *constraints = constrainFields(tableId); char varName[128]; if ((constraints != NULL) && (constraints[0] != 0) && (! sameString(customTrackPseudoDb, db))) { struct sqlConnection *conn = hAllocOrConnect(db); struct sqlResult *sr; struct dyString *query = newDyString(512); // Null query will cause errAbort if there's a syntax error, no-op if OK. - dyStringPrintf(query, "SELECT 1 FROM %s WHERE 0 AND %s", + sqlDyStringPrintf(query, "SELECT 1 FROM %s WHERE 0 AND %s", fullTblName, constraints); sr = sqlGetResult(conn, query->string); dyStringFree(&query); sqlFreeResult(&sr); hFreeOrDisconnect(&conn); } if (tableId == NULL) tableId = ""; for (current = cgiVarList(); current != NULL; current = current->next) { /* Look for pattern variable associated with each field. */ snprintf(varName, sizeof(varName), "pat%s_", tableId); if (startsWith(varName, current->name)) cgiMakeHiddenVar(current->name, current->val); @@ -2632,31 +2632,31 @@ { field = newSlName("blockCount"); slAddHead(&fieldList, field); field = newSlName("blockSizes"); slAddHead(&fieldList, field); field = newSlName("chromStarts"); slAddHead(&fieldList, field); } } else { struct sqlConnection *conn = hAllocOrConnect(db); struct sqlResult *sr; char **row; char query[256]; - snprintf(query, sizeof(query), "DESCRIBE %s", fullTableName); + sqlSafef(query, sizeof(query), "DESCRIBE %s", fullTableName); sr = sqlGetResult(conn, query); while ((row = sqlNextRow(sr)) != NULL) { field = newSlName(row[0]); slAddHead(&fieldList, field); } sqlFreeResult(&sr); hFreeOrDisconnect(&conn); } slReverse(&fieldList); return(fieldList); } struct slName *getChosenFields(boolean allFields) /* Return a list of chosen field names. */ @@ -2907,31 +2907,31 @@ boolean showTableDescriptions(struct sqlConnection *conn, char *table) /* Display autoSql definition and gbdDescriptions link for table, * if available. */ { boolean gotInfo = FALSE; static char *asTableName = "tableDescriptions"; if (sqlTableExists(conn, asTableName)) { struct sqlResult *sr = NULL; struct tableDescriptions *asi = NULL; char query[512]; char **row = NULL; - safef(query, sizeof(query), "select * from %s where tableName = '%s'", + sqlSafef(query, sizeof(query), "select * from %s where tableName = '%s'", asTableName, table); sr = sqlGetResult(conn, query); if ((row = sqlNextRow(sr)) != NULL) { asi = tableDescriptionsLoad(row); gotInfo = TRUE; if (asi->autoSqlDef != NULL && asi->autoSqlDef[0] != 0) { puts("<H4><A HREF=\"http://www.linuxjournal.com/article.php?sid=5949\" TARGET=_BLANK>"); printf("AutoSql</A> definition of %s:</H4>\n", table); puts("<PRE><TT>"); puts(asi->autoSqlDef); puts("</TT></PRE>"); } if (asi->gbdAnchor != NULL && asi->gbdAnchor[0] != 0) @@ -2967,31 +2967,31 @@ if (sameString(table, "mrna")) { struct slName *slNew = newSlName(table); slFreeList(&tableList); tableList = slNew; } #endif /* NEEDED_UNTIL_GB_CDNA_INFO_CHANGE */ for (tPtr=tableList; tPtr != NULL; tPtr=tPtr->next) { count += sqlTableSize(conn, tPtr->name); } printf("<P>Table %s has %d rows total.<BR>\n", table, count); if (count > 0) { - dyStringPrintf(query, "select * from %s limit %d", tableList->name, n); + sqlDyStringPrintf(query, "select * from %s limit %d", tableList->name, n); sr = sqlGetResult(conn, query->string); printf ("Example rows of table %s (not necessarily from current position!):<BR>\n", table); puts("<TT><PRE>"); numberColumns = sqlCountColumns(sr); printf("#"); for (i = 0; i < numberColumns; i++) { printf("%s\t", sqlFieldName(sr)); } printf("\n"); while ((row = sqlNextRow(sr)) != NULL) { for (i = 0; i < numberColumns; i++) printf("%s\t", row[i]); @@ -3002,31 +3002,31 @@ } void descTable(boolean histButtons) /* Print out an HTML table showing table fields and types, and optionally * offering histograms for the text/enum fields. */ { char *db = getTableDb(); struct sqlConnection *conn = hAllocOrConnect(db); struct sqlResult *sr; char **row; boolean tooBig = (sqlTableSize(conn, fullTableName) > TOO_BIG_FOR_HISTO); char button[64]; char query[256]; -safef(query, sizeof(query), "desc %s", fullTableName); +sqlSafef(query, sizeof(query), "describe %s", fullTableName); sr = sqlGetResult(conn, query); // For some reason BORDER=1 does not work in our web.c nested table scheme. // So use web.c's trick of using an enclosing table to provide a border. puts("<!--outer table is for border purposes-->" "\n" "<TABLE BGCOLOR='#" HG_COL_BORDER "' BORDER=0 CELLSPACING=0 CELLPADDING=1><TR><TD>"); puts("<TABLE BGCOLOR='#" HG_COL_INSIDE "' BORDER=1 CELLSPACING=0>"); printf("<TR> <TH>name</TH> <TH>SQL type</TH> "); histButtons = (histButtons && ! tooBig); if (histButtons) printf("<TH>text value histogram</TH> "); puts("</TR>"); while ((row = sqlNextRow(sr)) != NULL) { printf("<TR> <TD><TT>%s</TT></TD> <TD><TT>%s</TT></TD>", row[0], row[1]); if (histButtons) @@ -3206,54 +3206,54 @@ { dyStringAppend(fieldSpec, ","); dyStringAppend(fieldSpec, hti->nameField); } conn = hAllocOrConnect(db); gotResults = FALSE; if (tableIsSplit) { for (chromPtr=chromList; chromPtr != NULL; chromPtr = chromPtr->next) { getFullTableName(fullTableName, chromPtr->name, table); if (! sqlTableExists(conn, fullTableName)) continue; dyStringClear(query); - dyStringPrintf(query, "SELECT %s FROM %s", + sqlDyStringPrintf(query, "SELECT %s FROM %s", fieldSpec->string, fullTableName); if ((! allGenome) && tableIsPositional) { - dyStringPrintf(query, " WHERE %s < %d AND %s > %d", + sqlDyStringPrintf(query, " WHERE %s < %d AND %s > %d", hti->startField, winEnd, hti->endField, winStart); if ((constraints != NULL) && (constraints[0] != 0)) dyStringPrintf(query, " AND %s", constraints); } else if ((constraints != NULL) && (constraints[0] != 0)) dyStringPrintf(query, " WHERE %s", constraints); sr = sqlGetResult(conn, query->string); gotResults = printTabbedResults(sr, gotResults); sqlFreeResult(&sr); } } else { dyStringClear(query); - dyStringPrintf(query, "SELECT %s FROM %s", + sqlDyStringPrintf(query, "SELECT %s FROM %s", fieldSpec->string, fullTableName); if ((! allGenome) && tableIsPositional) { - dyStringPrintf(query, " WHERE %s < %d AND %s > %d", + sqlDyStringPrintf(query, " WHERE %s < %d AND %s > %d", hti->startField, winEnd, hti->endField, winStart); if (! sameString("", hti->chromField)) dyStringPrintf(query, " AND %s = \'%s\'", hti->chromField, chrom); if ((constraints != NULL) && (constraints[0] != 0)) dyStringPrintf(query, " AND %s", constraints); } else if ((constraints != NULL) && (constraints[0] != 0)) dyStringPrintf(query, " WHERE %s", constraints); sr = sqlGetResult(conn, query->string); gotResults = printTabbedResults(sr, gotResults); sqlFreeResult(&sr); } if (! gotResults) printf("\n# No results returned from query.\n\n"); @@ -4095,31 +4095,31 @@ puts("<HR>"); puts("<A HREF=\"/goldenPath/help/hgTextHelp.html#Stats\">" "<B>Help</B></A><P>"); printf("<H4> Your query on %s: </H4>\n", table); constraints = constrainFields(NULL); if ((constraints != NULL) && (constraints[0] == 0)) constraints = NULL; if (constraints != NULL) printf("Constraints on %s: %s<P>\n", table, constraints); else printf("No constraints selected on fields of %s.<P>\n", table); dyStringClear(query); -dyStringPrintf(query, "select count(*) from %s%s%s", table, +sqlDyStringPrintf(query, "select count(*) from %s%s%-s", table, (constraints ? " where " : ""), (constraints ? constraints : "")); conn = hAllocOrConnect(db); numRows = sqlQuickNum(conn, query->string); hFreeOrDisconnect(&conn); printf("Number of rows in %s%s: %d<P>\n", table, constraints ? " matching constraints" : "", numRows); descForm(); webEnd(); } struct slName *getOrderedChromList() /* Put the _random's at the end, and break them into two lines. */ /* Also, put the alpha-name chroms after the numeric-name chroms. */ @@ -4857,38 +4857,38 @@ wild = slNameNew(word); slAddHead(&wildNames, wild); } } } conn = hAllocOrConnect(db); for (chromPtr=chromList; chromPtr != NULL; chromPtr=chromPtr->next) { getFullTableName(fullTableName, chromPtr->name, table); if (! sqlTableExists(conn, fullTableName)) continue; dyStringClear(query); if (isBatch() && hti->nameField[0] != 0) { - dyStringPrintf(query, "SELECT %s,%s FROM %s", field, hti->nameField, + sqlDyStringPrintf(query, "SELECT %s,%s FROM %s", field, hti->nameField, fullTableName); } else - dyStringPrintf(query, "SELECT %s FROM %s", field, fullTableName); + sqlDyStringPrintf(query, "SELECT %s FROM %s", field, fullTableName); if (tableIsPositional) { - dyStringPrintf(query, " WHERE %s < %d AND %s > %d", + sqlDyStringPrintf(query, " WHERE %s < %d AND %s > %d", hti->startField, winEnd, hti->endField, winStart); if (! sameString("", hti->chromField)) dyStringPrintf(query, " AND %s = \'%s\'", hti->chromField, chrom); if ((constraints != NULL) && (constraints[0] != 0)) dyStringPrintf(query, " AND %s", constraints); } else if (constraints) dyStringPrintf(query, " WHERE %s", constraints); sr = sqlGetResult(conn, query->string); // make a hash of field values to frequencies, // filtering with user keys if specified: while ((row = sqlNextRow(sr)) != NULL) { if ((! isBatch()) || (hti->nameField[0] == 0) ||