080a160c7b9595d516c9c70e83689a09b60839d0 galt Mon Jun 3 12:16:53 2013 -0700 fix SQL Injection diff --git src/hg/hgTracks/loweLabTracks.c src/hg/hgTracks/loweLabTracks.c index 46a419b..4b2a933 100644 --- src/hg/hgTracks/loweLabTracks.c +++ src/hg/hgTracks/loweLabTracks.c @@ -103,31 +103,31 @@ } Color gbGeneColor(struct track *tg, void *item, struct hvGfx *hvg) /* Return color to draw gene in. */ { struct sqlConnection *conn = hAllocConn(database); struct sqlResult *sr; char query[512]; struct bed *bed = item; struct COG *COG=NULL; char *temparray[160]; char **row; if(hTableExists(database, "COG")) { - sprintf(query, "select * from COG where name = '%s'", bed->name); + sqlSafef(query, sizeof query, "select * from COG where name = '%s'", bed->name); sr = sqlGetResult(conn, query); if ((row = sqlNextRow(sr)) != NULL) COG = COGLoad(row); sqlFreeResult(&sr); hFreeConn(&conn); initializeColors(hvg); if(COG!=NULL) { chopString(COG->code, "," , temparray, 9999); return LLshadesOfCOGS[(temparray[0][0]-'A')]; } else return blackIndex(); } else @@ -149,31 +149,31 @@ /* Return color to draw gene (genePred) in. */ { struct sqlConnection *conn = hAllocConn(database); struct sqlResult *sr; char query[512]; struct linkedFeatures *lf = item; struct COG *COG=NULL; char *temparray[160]; char **row; if (lf == NULL) return shadesOfGray[9]; if (lf->name == NULL) return shadesOfGray[9]; if(hTableExists(database, "COG")) { - sprintf(query, "select * from COG where name = '%s'", lf->name); + sqlSafef(query, sizeof query,"select * from COG where name = '%s'", lf->name); sr = sqlGetResult(conn, query); if ((row = sqlNextRow(sr)) != NULL) COG = COGLoad(row); sqlFreeResult(&sr); hFreeConn(&conn); initializeColors(hvg); if(COG!=NULL) { chopString(COG->code, "," , temparray, 9999); return LLshadesOfCOGS[(temparray[0][0]-'A')]; } else return shadesOfGray[9]; } else