080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/hgTrackUi/cgapSageUi.c src/hg/hgTrackUi/cgapSageUi.c
index 1f6b031..ea55d66 100644
--- src/hg/hgTrackUi/cgapSageUi.c
+++ src/hg/hgTrackUi/cgapSageUi.c
@@ -1,39 +1,45 @@
 #include "common.h"
 #include "cheapcgi.h"
 #include "hgTrackUi.h"
 #include "trackDb.h"
 #include "cgapSage/cgapSage.h"
 #include "cgapSage/cgapSageLib.h"
 
 static struct slName *getListFromCgapSageLibs(struct sqlConnection *conn, char *column, boolean returnIds, boolean distinct)
 /* Return [unique] list of tissues sorted alphabetically. */
 {
 struct slName *list = NULL;
-char query[256];
+struct dyString *dy = dyStringNew(0);
 char **row;
 struct sqlResult *sr;
-safef(query, sizeof(query), "select %s%s%s from cgapSageLib order by %s", (distinct) ? "distinct " : "", 
-      column, (returnIds) ? ",libId" : "", column);
-sr = sqlGetResult(conn, query);
+sqlDyStringPrintf(dy, "select ");
+if (distinct)
+    dyStringAppend(dy, "distinct ");
+sqlDyStringPrintf(dy, "%s", column);
+if (returnIds)
+    dyStringAppend(dy, ",libId");
+sqlDyStringPrintf(dy, " from cgapSageLib order by %s", column);
+sr = sqlGetResult(conn, dy->string);
 while ((row = sqlNextRow(sr)) != NULL)
     {
     char *word = (returnIds) ? row[1] : row[0];
     slNameAddHead(&list, word);
     }
 slReverse(&list);
 sqlFreeResult(&sr);
+dyStringFree(&dy);
 return list;
 }
 
 static void cgapSageDropList(struct slName *choices, struct slName *valList, char *dropName, char *selected)
 /* Make a drop list from the slName list. */
 {
 struct slName *choice;
 char **items;
 char **vals;
 int i;
 int size = slCount(choices);
 AllocArray(items, size + 1);
 items[0] = "All";
 for (choice = choices, i = 1; choice != NULL; choice = choice->next, i++)
     items[i] = choice->name;