080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/hgc/dbRIP.c src/hg/hgc/dbRIP.c
index 4539c32..2d06e97 100644
--- src/hg/hgc/dbRIP.c
+++ src/hg/hgc/dbRIP.c
@@ -17,31 +17,31 @@
 /* used by slSort to sort the polyGenotype in order of ethnic group name */
 {
 const struct polyGenotype *p1 = *((struct polyGenotype**)e1);
 const struct polyGenotype *p2 = *((struct polyGenotype**)e2);
 return(strcmp(p1->ethnicGroup, p2->ethnicGroup));
 }
 
 static void polyTable(char *name)
 {
 struct sqlConnection *conn = hAllocConn(database);
 char query[256];
 struct sqlResult *sr;
 char **row;
 struct polyGenotype *pgList = NULL;
 
-sprintf(query, "select * from polyGenotype where name = '%s'", name);
+sqlSafef(query, sizeof query, "select * from polyGenotype where name = '%s'", name);
 
 sr = sqlGetResult(conn, query);
 while ((row = sqlNextRow(sr)) != NULL)
     {
     struct polyGenotype *pg;
 
     AllocVar(pg);
     pg = polyGenotypeLoad(row);
     slAddHead(&pgList, pg);
     }
 sqlFreeResult(&sr);
 hFreeConn(&conn);
 if (slCount(pgList) > 0)
     {
     struct polyGenotype *pg;
@@ -153,34 +153,34 @@
 {
 struct sqlConnection *conn = hAllocConn(database);
 struct sqlResult *sr = NULL;
 char table[64];
 boolean hasBin;
 struct dbRIP *loadItem;
 struct dyString *query = newDyString(512);
 char **row;
 boolean firstTime = TRUE;
 int start = cartInt(cart, "o");
 int itemCount = 0;
 
 genericHeader(tdb, item);
 
 hFindSplitTable(database, seqName, tdb->table, table, &hasBin);
-dyStringPrintf(query, "select * from %s where chrom = '%s' and ",
+sqlDyStringPrintf(query, "select * from %s where chrom = '%s' and ",
 	       table, seqName);
 hAddBinToQuery(winStart, winEnd, query);
-dyStringPrintf(query, "name = '%s' and chromStart = %d", item, start);
+sqlDyStringPrintf(query, "name = '%s' and chromStart = %d", item, start);
 sr = sqlGetResult(conn, query->string);
 while ((row = sqlNextRow(sr)) != NULL)
     {
     if (firstTime)
 	firstTime = FALSE;
     else
 	htmlHorizontalLine();
     ++itemCount;
     loadItem = dbRIPLoad(row+hasBin);
     printf("<B>Database ID:</B>&nbsp;%s<BR>\n", loadItem->name);
     printf("<B>Original ID:</B>&nbsp;%s<BR>\n", loadItem->originalId);
     printf("<B>Class:</B>&nbsp;%s<BR>\n", loadItem->polyClass);
     printf("<B>Family:</B>&nbsp;%s<BR>\n", loadItem->polyFamily);
     printf("<B>Subfamily:</B>&nbsp;%s<BR>\n", loadItem->polySubfamily);
     printf("<B>Associated Disease:</B>&nbsp;%s<BR>\n", loadItem->disease);