080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/hgTracks/contigTrack.c src/hg/hgTracks/contigTrack.c
index d7050a8..58d4cdc 100644
--- src/hg/hgTracks/contigTrack.c
+++ src/hg/hgTracks/contigTrack.c
@@ -6,31 +6,31 @@
 #include "jksql.h"
 #include "hdb.h"
 #include "hgTracks.h"
 #include "ctgPos.h"
 
 static void contigLoad(struct track *tg)
 /* Load up contigs from database table to track items. */
 {
 char query[256];
 struct sqlConnection *conn = hAllocConn(database);
 struct sqlResult *sr = NULL;
 char **row;
 struct ctgPos *ctgList = NULL, *ctg;
 
 /* Get the contigs and load into tg->items. */
-sprintf(query, "select * from %s where chrom = '%s' and chromStart<%u and chromEnd>%u",
+sqlSafef(query, sizeof query, "select * from %s where chrom = '%s' and chromStart<%u and chromEnd>%u",
     tg->table, chromName, winEnd, winStart);
 sr = sqlGetResult(conn, query);
 while ((row = sqlNextRow(sr)) != NULL)
     {
     ctg = ctgPosLoad(row);
     slAddHead(&ctgList, ctg);
     }
 slReverse(&ctgList);
 sqlFreeResult(&sr);
 hFreeConn(&conn);
 tg->items = ctgList;
 }
 
 static char *abbreviateContig(char *string, MgFont *font, int width)
 /* Return a string abbreviated enough to fit into space. */