080a160c7b9595d516c9c70e83689a09b60839d0
galt
Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/hgTrackUi/hgTrackUi.c src/hg/hgTrackUi/hgTrackUi.c
index 8c2f00e..bb1c4db 100644
--- src/hg/hgTrackUi/hgTrackUi.c
+++ src/hg/hgTrackUi/hgTrackUi.c
@@ -941,31 +941,31 @@
struct sqlConnection *conn = hAllocConn(database);
char query[256];
char **row;
struct sqlResult *sr;
struct slName *sList = NULL, *item;
int menuSize = 0;
char **menu;
int i;
char *tableList[3];
i = 0;
tableList[i++] = "dbRIPAlu";
tableList[i++] = "dbRIPL1";
tableList[i++] = "dbRIPSVA";
-safef(query, sizeof(query),
+sqlSafef(query, sizeof(query),
"SELECT genoRegion FROM dbRIPAlu GROUP BY genoRegion ORDER BY genoRegion DESC");
sr = sqlGetResult(conn, query);
while ((row = sqlNextRow(sr)) != NULL)
{
slNameAddHead(&sList, row[0]);
}
sqlFreeResult(&sr);
menuSize = slCount(sList) + 1;
menu = needMem((size_t)(menuSize * sizeof(char *)));
i = 0;
menu[i++] = GENO_REGION_DEFAULT;
for (item = sList; item != NULL; item = item->next)
@@ -980,57 +980,57 @@
menuSize = 3;
menu = needMem((size_t)(menuSize * sizeof(char *)));
i = 0;
menu[i++] = POLY_SOURCE_DEFAULT;
menu[i++] = "yes";
menu[i++] = "no";
puts("
\nInsertion found in reference sequence: ");
cgiMakeDropList(POLY_SOURCE, menu, menuSize,
cartCgiUsualString(cart, POLY_SOURCE, menu[0]));
freez(&menu);
for (i = 0; i < 3; ++i)
{
- safef(query, sizeof(query),
+ sqlSafef(query, sizeof(query),
"SELECT polySubfamily FROM %s GROUP BY polySubfamily ORDER BY polySubfamily DESC", tableList[i]);
sr = sqlGetResult(conn, query);
while ((row = sqlNextRow(sr)) != NULL)
{
slNameStore(&sList, row[0]);
}
sqlFreeResult(&sr);
}
slNameSortCase(&sList);
menuSize = slCount(sList) + 1;
menu = needMem((size_t)(menuSize * sizeof(char *)));
i = 0;
menu[i++] = POLY_SUBFAMILY_DEFAULT;
for (item = sList; item != NULL; item = item->next)
menu[i++] = item->name;
puts("
\nInsertion identified in sub-family: ");
cgiMakeDropList(POLY_SUBFAMILY, menu, menuSize,
cartCgiUsualString(cart, POLY_SUBFAMILY, menu[0]));
slFreeList(&sList);
freez(&menu);
-safef(query, sizeof(query),
+sqlSafef(query, sizeof(query),
"SELECT ethnicGroup FROM polyGenotype GROUP BY ethnicGroup ORDER BY ethnicGroup DESC");
sr = sqlGetResult(conn, query);
while ((row = sqlNextRow(sr)) != NULL)
{
slNameStore(&sList, row[0]);
}
sqlFreeResult(&sr);
menuSize = slCount(sList) + 1;
menu = needMem((size_t)(menuSize * sizeof(char *)));
i = 0;
menu[i++] = ETHNIC_GROUP_DEFAULT;
for (item = sList; item != NULL; item = item->next)
@@ -1580,31 +1580,31 @@
char *geneLabel;
safef(varName, sizeof(varName), "%s.label", tdb->track);
geneLabel = cartUsualString(cart, varName, "OMIM ID");
printf("
Label: ");
radioButton(varName, geneLabel, "OMIM ID");
radioButton(varName, geneLabel, "OMIM gene or syndrome");
radioButton(varName, geneLabel, "UCSC gene symbol");
}
void knownGeneIdConfig(struct trackDb *tdb)
/* Put up gene ID track controls */
{
struct sqlConnection *conn = hAllocConn(database);
char query[256];
char *omimAvail = NULL;
-safef(query, sizeof(query), "select kgXref.kgID from kgXref,refLink where kgXref.refseq = refLink.mrnaAcc and refLink.omimId != 0 limit 1");
+sqlSafef(query, sizeof(query), "select kgXref.kgID from kgXref,refLink where kgXref.refseq = refLink.mrnaAcc and refLink.omimId != 0 limit 1");
omimAvail = sqlQuickString(conn, query);
hFreeConn(&conn);
printf("Label: ");
labelMakeCheckBox(tdb, "gene", "gene symbol", FALSE);
labelMakeCheckBox(tdb, "kgId", "UCSC Known Gene ID", FALSE);
labelMakeCheckBox(tdb, "prot", "UniProt Display ID", FALSE);
if (omimAvail != NULL)
{
char sym[32];
safef(sym, sizeof(sym), "omim%s", cartString(cart, "db"));
labelMakeCheckBox(tdb, sym, "OMIM ID", FALSE);
}
printf("
\n");
@@ -1696,31 +1696,31 @@
labelMakeCheckBox(tdb, "acc", "accession", FALSE);
printf("
\n");
baseColorDrawOptDropDown(cart, tdb);
}
void refGeneUI(struct trackDb *tdb)
/* Put up refGene or xenoRefGene gene ID track controls, with checkboxes */
{
/* Figure out if OMIM database is available. */
int omimAvail = 0;
if (sameString(tdb->track, "refGene"))
{
struct sqlConnection *conn = hAllocConn(database);
char query[128];
- safef(query, sizeof(query), "select refLink.omimId from refLink, refGene where refLink.mrnaAcc = refGene.name and refLink.omimId != 0 limit 1");
+ sqlSafef(query, sizeof(query), "select refLink.omimId from refLink, refGene where refLink.mrnaAcc = refGene.name and refLink.omimId != 0 limit 1");
omimAvail = sqlQuickNum(conn, query);
hFreeConn(&conn);
}
/* Put up label line - boxes for gene, accession or maybe OMIM. */
printf("Label: ");
labelMakeCheckBox(tdb, "gene", "gene", TRUE);
labelMakeCheckBox(tdb, "acc", "accession", FALSE);
if (omimAvail != 0)
{
char sym[32];
safef(sym, sizeof(sym), "omim%s", cartString(cart, "db"));
labelMakeCheckBox(tdb, sym, "OMIM ID", FALSE);
}
printf("
\n");
@@ -2429,31 +2429,31 @@
cgiMakeRadioButton(PCR_RESULT_TARGET_STYLE, PCR_RESULT_TARGET_STYLE_TALL,
sameString(chosen, PCR_RESULT_TARGET_STYLE_TALL));
printf("Show the whole %s item with amplified part tall",
target->description);
}
baseColorDrawOptDropDown(cart, tdb);
}
void dgvUi(struct trackDb *tdb)
/* Database of Genomic Variants: filter by publication. */
{
struct sqlConnection *conn = hAllocConn(database);
struct sqlResult *sr;
char **row;
char query[256];
-safef(query, sizeof(query),
+sqlSafef(query, sizeof(query),
"select reference,pubMedId from %s group by pubMedId order by reference;", tdb->table);
sr = sqlGetResult(conn, query);
printf("
Filter by publication reference:\n");
char cartVarName[256];
safef (cartVarName, sizeof(cartVarName), "hgt_%s_filterType", tdb->track);
boolean isInclude = sameString("include", cartUsualString(cart, cartVarName, "include"));
cgiMakeRadioButton(cartVarName, "include", isInclude);
printf("include\n");
cgiMakeRadioButton(cartVarName, "exclude", !isInclude);
printf("exclude
\n");
safef (cartVarName, sizeof(cartVarName), "hgt_%s_filterPmId", tdb->track);
boolean filterPmIdInCart = cartListVarExists(cart, cartVarName);
struct slName *checked = NULL;
if (filterPmIdInCart)
checked = cartOptionalSlNameList(cart, cartVarName);