080a160c7b9595d516c9c70e83689a09b60839d0 galt Mon Jun 3 12:16:53 2013 -0700 fix SQL Injection diff --git src/hg/hgTracks/expRatioTracks.c src/hg/hgTracks/expRatioTracks.c index cb63541..8d9b071 100644 --- src/hg/hgTracks/expRatioTracks.c +++ src/hg/hgTracks/expRatioTracks.c @@ -25,31 +25,31 @@ char *erFilter = UCSF_DEMO_ER_DEFAULT; char *prFilter = UCSF_DEMO_PR_DEFAULT; struct hash *clinicalHash; struct hash *getClinicalData(char *tableName) { struct hash *ret = NULL; char query[512]; struct sqlConnection *conn = hAllocConn(database); struct sqlResult *sr; char **row; struct simpleClinical *clinicalItem = NULL; ret = newHash(16); -safef(query, sizeof(query), "select id, er, pr from %s", tableName); +sqlSafef(query, sizeof(query), "select id, er, pr from %s", tableName); sr = sqlGetResult(conn, query); while ((row = sqlNextRow(sr)) != NULL) { AllocVar(clinicalItem); clinicalItem->er = cloneString(row[1]); clinicalItem->pr = cloneString(row[2]); hashAdd(ret, cloneString(row[0]), clinicalItem); } sqlFreeResult(&sr); hFreeConn(&conn); return ret; } static void loadFiltersAndHash(char *tableName) @@ -378,31 +378,31 @@ struct bed *bed; /* traditionally if there is nothing to show show nothing .... */ if(bedList == NULL) return NULL; /* otherwise if we're goint to do some filtering set up the data structures */ conn = sqlConnect(database); indexes = newHash(6); expTypes = newHash(6); expIndexesToNames = newHash(6); /* load the experiment information */ -snprintf(buff, sizeof(buff), "select * from %s order by id asc", table); +sqlSafef(buff, sizeof(buff), "select * from %s order by id asc", table); erList = expRecordLoadByQuery(conn, buff); if(erList == NULL) errAbort("hgTracks::msBedGroupByIndex() - can't get any records for %s in table %s\n", buff, table); sqlDisconnect(&conn); /* build hash to map experiment ids to types */ for(er = erList; er != NULL; er = er->next) { char *name; if (expIndex >= 0 && er->numExtras > expIndex) name = er->extras[expIndex]; else name = er->name; snprintf(buff, sizeof(buff), "%d", er->id); hashAdd(expTypes, buff, name);