src/hg/hgTracks/expRatioTracks.c 080a160c7b9595d516c9c70e83689a09b60839d0

080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/hgTracks/expRatioTracks.c src/hg/hgTracks/expRatioTracks.c
index cb63541..8d9b071 100644
--- src/hg/hgTracks/expRatioTracks.c
+++ src/hg/hgTracks/expRatioTracks.c
@@ -25,31 +25,31 @@
 
 char *erFilter = UCSF_DEMO_ER_DEFAULT;
 char *prFilter = UCSF_DEMO_PR_DEFAULT;
 struct hash *clinicalHash;
 
 struct hash *getClinicalData(char *tableName)
 {
 struct hash *ret = NULL;
 char query[512];
 struct sqlConnection *conn = hAllocConn(database);
 struct sqlResult *sr;
 char **row;
 struct simpleClinical *clinicalItem = NULL;
 
 ret = newHash(16);
-safef(query, sizeof(query), "select id, er, pr from %s", tableName);
+sqlSafef(query, sizeof(query), "select id, er, pr from %s", tableName);
 sr = sqlGetResult(conn, query);
 while ((row = sqlNextRow(sr)) != NULL)
     {
     AllocVar(clinicalItem);
     clinicalItem->er = cloneString(row[1]);
     clinicalItem->pr = cloneString(row[2]);
     hashAdd(ret, cloneString(row[0]), clinicalItem);
     }
 sqlFreeResult(&sr);
 hFreeConn(&conn);
 return ret;
 }
 
 
 static void loadFiltersAndHash(char *tableName)
@@ -378,31 +378,31 @@
 struct bed *bed;
 
 /* traditionally if there is nothing to show
    show nothing .... */
 if(bedList == NULL)
     return NULL;
 
 /* otherwise if we're goint to do some filtering
    set up the data structures */
 conn = sqlConnect(database);
 indexes = newHash(6);
 expTypes = newHash(6);
 expIndexesToNames = newHash(6);
 
 /* load the experiment information */
-snprintf(buff, sizeof(buff), "select * from %s order by id asc", table);
+sqlSafef(buff, sizeof(buff), "select * from %s order by id asc", table);
 erList = expRecordLoadByQuery(conn, buff);
 if(erList == NULL)
     errAbort("hgTracks::msBedGroupByIndex() - can't get any records for %s in table %s\n", buff, table);
 sqlDisconnect(&conn);
 
 /* build hash to map experiment ids to types */
 for(er = erList; er != NULL; er = er->next)
     {
     char *name;
     if (expIndex >= 0 && er->numExtras > expIndex)
         name = er->extras[expIndex];
     else
         name = er->name;
     snprintf(buff, sizeof(buff), "%d", er->id);
     hashAdd(expTypes, buff, name);