080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/hgc/makeItemsClick.c src/hg/hgc/makeItemsClick.c
index d52e92c..603fadd 100644
--- src/hg/hgc/makeItemsClick.c
+++ src/hg/hgc/makeItemsClick.c
@@ -7,31 +7,31 @@
 #include "makeItemsItem.h"
 #include "obscure.h"
 #include "cheapcgi.h"
 #include "hgMaf.h"
 #include "hui.h"
 #include "hCommon.h"
 
 void doMakeItemsDetails(struct customTrack *ct, char *itemIdString)
 /* Show details of a makeItems item. */
 {
 char *idString = cloneFirstWord(itemIdString);
 char *tableName = ct->dbTableName;
 char *trackName = ct->tdb->track;
 struct sqlConnection *conn = hAllocConn(CUSTOM_TRASH);
 char query[512];
-safef(query, sizeof(query), "select * from %s where id=%s", tableName, idString);
+sqlSafef(query, sizeof(query), "select * from %s where id=%s", tableName, idString);
 struct sqlResult *sr = sqlGetResult(conn, query);
 
 char **row;
 if ((row = sqlNextRow(sr)) != NULL)
     {
     struct makeItemsItem *item = makeItemsItemLoad(row);
     printf("<FORM ACTION=\"%s\">\n\n", hgTracksName());
     cartSaveSession(cart);
 
     /* Save away ID string in hidden var.  */
     char varName[128];
     safef(varName, sizeof(varName), "%s_%s", trackName, "id");
     cgiMakeHiddenVar(varName, idString);
 
     /* Put up editable name. */