080a160c7b9595d516c9c70e83689a09b60839d0
galt
Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/hgc/numtsClick.c src/hg/hgc/numtsClick.c
index b4fa72a..8d121ff 100644
--- src/hg/hgc/numtsClick.c
+++ src/hg/hgc/numtsClick.c
@@ -21,92 +21,92 @@
/* message strings */
char *clickMsg = NULL;
char *openMsg1 = "Click 'browser' link below to open Genome Browser at genomic position where";
char *openMsg2 = "maps\n";
char *openMsgM = "Click 'browser' link below to open Genome Browser at mitochondrial position where";
genericHeader(tdb, itemName);
genericBedClick(conn, tdb, itemName, start, num);
safecpy(itemNameDash, sizeof(itemNameDash),itemName);
safecat(itemNameDash,64,"_");
safecpy(itemNameTrimmed, sizeof(itemNameTrimmed),itemName);
chopSuffixAt(itemNameTrimmed, '_');
-safef(query, sizeof(query), "select chrom, chromStart, chromEnd, name, score, strand from %s where name='%s'",
+sqlSafef(query, sizeof(query), "select chrom, chromStart, chromEnd, name, score, strand from %s where name='%s'",
table, itemName);
sr = sqlGetResult(conn, query);
int sSize=0;
while ((row = sqlNextRow(sr)) != NULL)
{
bed = bedLoad6(row);
sSize = bed->chromEnd - bed->chromStart;
/* printf("sSize is: %5d
", sSize); */
}
if (sameString("hg18", database))
{
if (sameString("numtS", table) || sameString("numtSAssembled", table))
{
- safef(query, sizeof(query),
+ sqlSafef(query, sizeof(query),
"select chrom, chromStart, chromEnd, name, score, strand "
"from numtSMitochondrionChrPlacement where ( "
"(name = '%s') OR (((name REGEXP '^%s') OR (name='%s')) AND "
" (ABS((chromEnd - chromStart)-%d) <= %d ))) ",
itemName, itemNameDash, itemNameTrimmed, sSize, sDiff);
clickMsg = openMsgM;
}
else if (sameString("numtSMitochondrion", table))
{
- safef(query, sizeof(query),
+ sqlSafef(query, sizeof(query),
"select chrom, chromStart, chromEnd, name, score, strand "
"from numtS where ( "
"(name = '%s') OR (((name REGEXP '^%s') OR (name='%s')) AND "
" (ABS((chromEnd - chromStart)-%d) <= %d ))) ",
itemName, itemNameDash, itemNameTrimmed, sSize, sDiff);
clickMsg = openMsg1;
}
else if (sameString("numtSMitochondrionChrPlacement", table))
{
- safef(query, sizeof(query),
+ sqlSafef(query, sizeof(query),
"select chrom, chromStart, chromEnd, name, score, strand "
"from numtS where ( "
"(name = '%s') OR (((name REGEXP '^%s') OR (name='%s')) AND "
" (ABS((chromEnd - chromStart)-%d) <= %d ))) ",
itemName, itemNameDash, itemNameTrimmed, sSize, sDiff);
clickMsg = openMsg1;
}
} else {
if (sameString("numtS", table) || sameString("numtSAssembled", table))
{
if (sameString("hg19", database) || sameString("mm9", database))
{
- safef(query, sizeof(query),
+ sqlSafef(query, sizeof(query),
"select chrom, chromStart, chromEnd, name, score, strand "
"from numtSMitochondrion where name = '%s' ", itemName);
} else {
- safef(query, sizeof(query),
+ sqlSafef(query, sizeof(query),
"select chrom, chromStart, chromEnd, name, score, strand "
"from numtSMitochondrion where name = '%s' ", itemNameTrimmed);
}
clickMsg = openMsgM;
}
else if (sameString("numtSMitochondrion", table))
{
- safef(query, sizeof(query),
+ sqlSafef(query, sizeof(query),
"select chrom, chromStart, chromEnd, name, score, strand "
"from numtS where name like '%s%%'", itemName);
clickMsg = openMsg1;
}
}
sr = sqlGetResult(conn, query);
firstTime = TRUE;
while ((row = sqlNextRow(sr)) != NULL)
{
printf("");
if (firstTime)
{
firstTime = FALSE;