080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/hgc/gvfClick.c src/hg/hgc/gvfClick.c
index 2e5ad74..1ee50cb 100644
--- src/hg/hgc/gvfClick.c
+++ src/hg/hgc/gvfClick.c
@@ -11,31 +11,31 @@
 if (word == NULL)
     return FALSE;
 char *s = word;
 while (*s != '\0')
     if (! isdigit(*s++))
 	return FALSE;
 return TRUE;
 }
 
 void doGvf(struct trackDb *tdb, char *item)
 /* Show details for variants represented as GVF, stored in a bed8Attrs table */
 {
 struct sqlConnection *conn = hAllocConn(database);
 int start = cartInt(cart, "o");
 char query[1024];
-safef(query, sizeof(query),
+sqlSafef(query, sizeof(query),
       "select * from %s where name = '%s' and chrom = '%s' and chromStart = %d",
       tdb->table, item, seqName, start);
 struct sqlResult *sr = sqlGetResult(conn, query);
 char **row;
 if ((row = sqlNextRow(sr)) == NULL)
     errAbort("doGvfDetails: can't find item '%s' in %s at %s:%d", item, database, seqName, start);
 int rowOffset = hOffsetPastBin(database, seqName, tdb->table);
 struct bed8Attrs *ba = bed8AttrsLoad(row+rowOffset);
 bedPrintPos((struct bed *)ba, 3, tdb);
 int i = 0;
 // Note: this loop modifies ba->attrVals[i], assuming we won't use them again:
 for (i = 0;  i < ba->attrCount;  i++)
     {
     // The ID is the bed8Attrs name and has already been displayed:
     if (sameString(ba->attrTags[i], "ID"))