080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/hgTracks/rmskTrack.c src/hg/hgTracks/rmskTrack.c
index 37dc73f..09ed8ca 100644
--- src/hg/hgTracks/rmskTrack.c
+++ src/hg/hgTracks/rmskTrack.c
@@ -132,37 +132,37 @@
 		}
 	    mapBoxHc(hvg, ro.genoStart, ro.genoEnd, x1, ri->yOffset, w, heightPer, tg->track,
 	    	ro.repName, statusLine);
 	    }
 	}
     freeHash(&hash);
     }
 else
     {
     char table[64];
     boolean hasBin;
     struct dyString *query = newDyString(1024);
     /* Do black and white on single track.  Fetch less than we need from database. */
     if (hFindSplitTable(database, chromName, tg->table, table, &hasBin))
         {
-	dyStringPrintf(query, "select genoStart,genoEnd from %s where ", table);
+	sqlDyStringPrintf(query, "select genoStart,genoEnd from %s where ", table);
 	if (hasBin)
 	    hAddBinToQuery(winStart, winEnd, query);
 	dyStringPrintf(query, "genoStart<%u and genoEnd>%u ", winEnd, winStart);
 	/* if we're using a single rmsk table, add genoName to the where clause */
 	if (startsWith("rmsk", table))
-	    dyStringPrintf(query, " and genoName = '%s' ", chromName);
+	    sqlDyStringPrintf(query, " and genoName = '%s' ", chromName);
 	sr = sqlGetResult(conn, query->string);
 	while ((row = sqlNextRow(sr)) != NULL)
 	    {
 	    int start = sqlUnsigned(row[0]);
 	    int end = sqlUnsigned(row[1]);
 	    x1 = roundingScale(start-winStart, width, baseWidth)+xOff;
 	    x2 = roundingScale(end-winStart, width, baseWidth)+xOff;
 	    w = x2-x1;
 	    if (w <= 0)
 		w = 1;
 	    hvGfxBox(hvg, x1, yOff, w, heightPer, MG_BLACK);
 	    }
 	}
     dyStringFree(&query);
     }