src/hg/hgc/ccdsClick.c 080a160c7b9595d516c9c70e83689a09b60839d0

080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/hgc/ccdsClick.c src/hg/hgc/ccdsClick.c
index a33d3a0..eeea9cf 100644
--- src/hg/hgc/ccdsClick.c
+++ src/hg/hgc/ccdsClick.c
@@ -90,31 +90,31 @@
         printf("\">%s</A>", gene->ccdsId);
         }
     printf("<BR>\n");
     }
 }
 
 static char *getCcdsGeneSymbol(struct sqlConnection *conn, struct ccdsInfo *rsCcds)
 /* get the gene name for a CCDS */
 {
 struct ccdsInfo *ci;
 char accBuf[GENBANK_ACC_BUFSZ], query[256];
 char *geneSym = NULL;
 
 for (ci = rsCcds; ci != NULL; ci = ci->next)
     {
-    safef(query, sizeof(query), "select name from refLink where mrnaAcc='%s'",
+    sqlSafef(query, sizeof(query), "select name from refLink where mrnaAcc='%s'",
           genbankDropVer(accBuf, ci->mrnaAcc));
     geneSym = sqlQuickString(conn, query);
     if (geneSym != NULL)
         return geneSym;
     }
 return NULL;
 }
 
 static char *getCcdsRefSeqSummary(struct sqlConnection *conn, struct ccdsInfo *rsCcds)
 /* get the refseq summary for a CCDS */
 {
 struct ccdsInfo *ci;
 char accBuf[GENBANK_ACC_BUFSZ];
 char *summary = NULL;
 
@@ -163,41 +163,41 @@
 
 /* only keep one of each gene */
 slUniqify(&bestCcdsGenes, ccdsGeneMapGeneIdCmp, ccdsGeneMapFree);
 
 return bestCcdsGenes;
 }
 
 static void printCcdsHgGeneUrl(struct sqlConnection *conn, char *ccdsId, char* kgId)
 /* output a URL to hgGene for a ccds */
 {
 char where[128];
 struct genePredReader *gpr;
 struct genePred *ccdsGene = NULL, *kgGene = NULL;
 
 /* get ccds genePred to get location */
-safef(where, sizeof(where), "chrom = '%s' and name = '%s'", seqName, ccdsId);
+sqlSafefFrag(where, sizeof(where), "chrom = '%s' and name = '%s'", seqName, ccdsId);
 gpr = genePredReaderQuery(conn, "ccdsGene", where);
 ccdsGene = genePredReaderAll(gpr);
 genePredReaderFree(&gpr);
 if (ccdsGene == NULL)
     errAbort("%s not found in ccdsGene table for chrom %s", ccdsId, seqName);
 else if (ccdsGene->next != NULL)
     errAbort("multiple %s rows found in ccdsGene table for chrom %s", ccdsId, seqName);
 
 /* get KG genePred, as need exact location for link */
-safef(where, sizeof(where), "name = '%s' and strand = '%s'", kgId,
+sqlSafefFrag(where, sizeof(where), "name = '%s' and strand = '%s'", kgId,
       ccdsGene->strand);
 gpr = genePredReaderRangeQuery(conn, "knownGene", seqName,
                                ccdsGene->txStart, ccdsGene->txEnd, where);
 kgGene = genePredReaderAll(gpr);
 genePredReaderFree(&gpr);
 if (kgGene == NULL)
     errAbort("%s not found in knownGene table for chrom %s", kgId, seqName);
 else if (kgGene->next != NULL)
     errAbort("multiple %s rows found in knownGene table for chrom %s", kgId, seqName);
 
 printf("../cgi-bin/hgGene?%s&%s=%s&%s=%s&%s=%s&%s=%d&%s=%d",
        cartSidUrlString(cart),
        "db", database,
        "hgg_gene", kgId,
        "hgg_chrom", seqName,