src/hg/hgTracks/gencodeTracks.c 080a160c7b9595d516c9c70e83689a09b60839d0

080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/hgTracks/gencodeTracks.c src/hg/hgTracks/gencodeTracks.c
index 747925e..f256eae 100644
--- src/hg/hgTracks/gencodeTracks.c
+++ src/hg/hgTracks/gencodeTracks.c
@@ -345,86 +345,86 @@
                                 struct linkedFeatures *lf)
 /* compute the highlight color based on a extra fields returned in a row, setting
  * the linkedFeatures field */
 {
 if (highlightBySupportLevelSelected(row, gencodeQuery) || highlightByTranscriptTypeSelected(row, gencodeQuery)
     || highlightByTranscriptMethodSelected(row, gencodeQuery))
     {
     lf->highlightColor = highlightColor;
     lf->highlightMode = highlightBackground;
     }
 }
 
 static void addQueryTables(struct track *tg, struct gencodeQuery *gencodeQuery)
 /* add required from tables and joins */
 {
-dyStringPrintf(gencodeQuery->from, "%s g", tg->table);
+sqlDyStringPrintf(gencodeQuery->from, "%s g", tg->table);
 if (gencodeQuery->joinAttrs)
     {
-    dyStringPrintf(gencodeQuery->from, ", %s attrs", trackDbRequiredSetting(tg->tdb, "wgEncodeGencodeAttrs"));
+    sqlDyStringPrintf(gencodeQuery->from, ", %s attrs", trackDbRequiredSetting(tg->tdb, "wgEncodeGencodeAttrs"));
     dyStringAppend(gencodeQuery->where, " and (attrs.transcriptId = g.name)");
     }
 if (gencodeQuery->joinTransSrc)
     {
-    dyStringPrintf(gencodeQuery->from, ", %s transSrc", trackDbRequiredSetting(tg->tdb, "wgEncodeGencodeTranscriptSource"));
+    sqlDyStringPrintf(gencodeQuery->from, ", %s transSrc", trackDbRequiredSetting(tg->tdb, "wgEncodeGencodeTranscriptSource"));
     dyStringAppend(gencodeQuery->where, " and (transSrc.transcriptId = g.name)");
     }
 if (gencodeQuery->joinSupportLevel)
     {
-    dyStringPrintf(gencodeQuery->from, ", %s supLevel", trackDbRequiredSetting(tg->tdb, "wgEncodeGencodeTranscriptionSupportLevel"));
+    sqlDyStringPrintf(gencodeQuery->from, ", %s supLevel", trackDbRequiredSetting(tg->tdb, "wgEncodeGencodeTranscriptionSupportLevel"));
     dyStringAppend(gencodeQuery->where, " and (supLevel.transcriptId = g.name)");
     }
 }
 
 static boolean tableIsGenePredX(struct track *tg)
 /* determine if a table has genePred extended fields.  two-way consensus
  * pseudo doesn't have them. */
 {
 struct sqlConnection *conn = hAllocConn(database);
 struct slName *fields = sqlFieldNames(conn, tg->table);
 hFreeConn(&conn);
 boolean isGenePredX = slNameInList(fields, "score");
 slFreeList(&fields);
 return isGenePredX;
 }
 
 static struct gencodeQuery *gencodeQueryConstruct(struct track *tg)
 /* construct the query for a GENCODE genePred track, which includes filters. */
 {
 static char *genePredXFields = "g.name, g.chrom, g.strand, g.txStart, g.txEnd, g.cdsStart, g.cdsEnd, g.exonCount, g.exonStarts, g.exonEnds, g.score, g.name2, g.cdsStartStat, g.cdsEndStat, g.exonFrames";
 static char *genePredFields = "g.name, g.chrom, g.strand, g.txStart, g.txEnd, g.cdsStart, g.cdsEnd, g.exonCount, g.exonStarts, g.exonEnds";
 
 struct gencodeQuery *gencodeQuery = gencodeQueryNew();
 gencodeQuery->isGenePredX = tableIsGenePredX(tg);
 gencodeQuery->nextFieldCol = (gencodeQuery->isGenePredX ? GENEPREDX_NUM_COLS : GENEPRED_NUM_COLS);
 dyStringAppend(gencodeQuery->fields, (gencodeQuery->isGenePredX ? genePredXFields : genePredFields));
 
 // bin range overlap part
 hAddBinToQuery(winStart, winEnd, gencodeQuery->where);
-dyStringPrintf(gencodeQuery->where, "(g.chrom = \"%s\") and (g.txStart < %u) and (g.txEnd > %u)", chromName, winEnd, winStart);
+sqlDyStringPrintf(gencodeQuery->where, "(g.chrom = \"%s\") and (g.txStart < %u) and (g.txEnd > %u)", chromName, winEnd, winStart);
 
 gencodeFilterBySetQuery(tg, gencodeQuery);
 gencodeHighlightBySetQuery(tg, gencodeQuery);
 addQueryTables(tg, gencodeQuery);
 return gencodeQuery;
 }
 
 static struct sqlResult *gencodeMakeQuery(struct sqlConnection *conn, struct gencodeQuery *gencodeQuery)
 /* make the actual SQL query */
 {
 struct dyString *query = dyStringNew(0);
-dyStringPrintf(query, "select %s from %s where %s", dyStringContents(gencodeQuery->fields), dyStringContents(gencodeQuery->from), dyStringContents(gencodeQuery->where));
+sqlDyStringPrintf(query, "select %-s from %s where %-s", sqlCkIl(dyStringContents(gencodeQuery->fields)), dyStringContents(gencodeQuery->from), dyStringContents(gencodeQuery->where));
 struct sqlResult *sr = sqlGetResult(conn, dyStringContents(query));
 dyStringFree(&query);
 return sr;
 }
 
 static struct linkedFeatures *loadGencodeGenePred(struct track *tg, struct gencodeQuery *gencodeQuery, char **row, unsigned highlightColor)
 /* load one genePred record into a linkedFeatures object */
 {
 struct genePred *gp = genePredExtLoad(row, (gencodeQuery->isGenePredX ? GENEPREDX_NUM_COLS:  GENEPRED_NUM_COLS));
 struct linkedFeatures *lf = linkedFeaturesFromGenePred(tg, gp, TRUE);
 highlightByGetColor(row, gencodeQuery, highlightColor, lf);
 return lf;
 }
 
 static void loadGencodeGenePreds(struct track *tg)