080a160c7b9595d516c9c70e83689a09b60839d0 galt Mon Jun 3 12:16:53 2013 -0700 fix SQL Injection diff --git src/hg/hgc/retroClick.c src/hg/hgc/retroClick.c index b8fe4a0..90b8a30 100644 --- src/hg/hgc/retroClick.c +++ src/hg/hgc/retroClick.c @@ -87,31 +87,31 @@ } static void getGenbankInfo(struct sqlConnection *conn, struct mappingInfo *mi) /* get source gene info and version from gbCdnaInfo and save in mi */ { char query[512], **row; struct sqlResult *sr; char *defDb = database; /* if id has been modified for multi-level ancestor mappings: * NM_012345.1-1.1 -> db:NM_012345a.1.1 * then hack it back to the original accession. However, don't get version, * since the sequence is different. */ -safef(query, sizeof(query), +sqlSafef(query, sizeof(query), "select gbCdnaInfo.version, geneName.name, description.name " "from %s.gbCdnaInfo, %s.geneName, %s.description " "where gbCdnaInfo.acc=\"%s\" and gbCdnaInfo.geneName=geneName.id and gbCdnaInfo.description = description.id", defDb, defDb, defDb, mi->gbAcc); sr = sqlGetResult(conn, query); row = sqlNextRow(sr); if (row != NULL) { mi->gbCurVer = sqlSigned(row[0]); mi->sym = cloneString(row[1]); mi->desc = cloneString(row[2]); } sqlFreeResult(&sr); } @@ -216,31 +216,31 @@ safef(orthoTable, sizeof(orthoTable), "%s%sOrtho%s", mi->tblPre, mi->geneSet, mi->suffix); else safef(orthoTable, sizeof(orthoTable), "%s%sOrtho", mi->tblPre, mi->geneSet); printf("<TABLE class=\"transMap\">\n"); printf("<H3>Breaks in Orthology:</H3>\n"); printf("<THEAD>\n"); printf("<TR><TH>Organism<TH>%% Coverage</TR>\n"); printf("</THEAD><TBODY>\n"); if (hTableExists(database, orthoTable)) { struct sqlResult *sr; char **row; - safef(query, sizeof(query), "select * from %s where name = '%s' ", + sqlSafef(query, sizeof(query), "select * from %s where name = '%s' ", orthoTable, pg->name); sr = sqlGetResult(conn, query); while ((row = sqlNextRow(sr)) != NULL) { struct ucscRetroOrtho *puro = ucscRetroOrthoLoad(row); /* get substring after "net" prefix and convert first char to lower case then get organism name */ safecpy(orgDb, sizeof(orgDb), puro->db+3); orgDb[0] = tolower(orgDb[0]); org = hOrganism(orgDb); printf("<TR><TH>%s (%s) ", org, orgDb); printf("<TD>%d</TR>\n", puro->overlap); } sqlFreeResult(&sr); } @@ -249,31 +249,31 @@ printf("</TBODY></TABLE>\n"); } static struct psl *loadPslRangeT(char *table, char *qName, char *tName, int tStart, int tEnd) /* Load a list of psls given qName tName tStart tEnd */ { struct sqlResult *sr = NULL; char **row; struct psl *psl = NULL, *pslList = NULL; boolean hasBin; char splitTable[64]; char query[256]; struct sqlConnection *conn = hAllocConn(database); hFindSplitTable(database, seqName, table, splitTable, &hasBin); -safef(query, sizeof(query), "select * from %s where qName = '%s' and tName = '%s' and tEnd > %d and tStart < %d", splitTable, qName, tName, tStart, tEnd); +sqlSafef(query, sizeof(query), "select * from %s where qName = '%s' and tName = '%s' and tEnd > %d and tStart < %d", splitTable, qName, tName, tStart, tEnd); sr = sqlGetResult(conn, query); while ((row = sqlNextRow(sr)) != NULL) { psl = pslLoad(row+hasBin); slAddHead(&pslList, psl); } sqlFreeResult(&sr); slReverse(&pslList); hFreeConn(&conn); return pslList; } /* get overlap with psl and set the number of overlapping blocks to numBlocks */ int getOverlap(struct psl *psl, int start, int end, int *numBlocks) { @@ -422,37 +422,37 @@ struct psl *pslList = NULL; char query[512]; if (startsWith("August",mi->geneSet)) { if (hTableExists(database, "augustusXAli")) { *table = cloneString( "augustusXAli"); pslList = loadPslRangeT(*table, mi->seqId, pg->gChrom, pg->gStart, pg->gEnd); } else if (hTableExists(database, "augustusX")) { struct sqlResult *sr; char **row; int targetSize = 0; *table = cloneString( "augustusX"); - safef(query, sizeof(query), "select * from augustusX where chrom = '%s' and txEnd > %d and txStart < %d and name like '%s%%'", + sqlSafef(query, sizeof(query), "select * from augustusX where chrom = '%s' and txEnd > %d and txStart < %d and name like '%s%%'", pg->gChrom, pg->gStart, pg->gEnd , mi->seqId ); sr = sqlGetResult(conn, query); if ((row = sqlNextRow(sr)) != NULL) { struct genePred *gp = genePredLoad(row+1); - safef(query, sizeof(query), + sqlSafef(query, sizeof(query), "select size from chromInfo where chrom = '%s' " , gp->chrom); sqlFreeResult(&sr); targetSize = sqlNeedQuickNum(conn, query) ; pslList = pslFromGenePred(gp, targetSize); } } } else if (hTableExists(database, "all_mrna")) { char parent[255]; char *dotPtr ; *table = cloneString( "all_mrna"); safef(parent, sizeof(parent), "%s",pg->name); /* strip off version and unique suffix when looking for parent gene*/ @@ -502,36 +502,36 @@ static void displayMappingInfo(struct sqlConnection *conn, struct mappingInfo *mi) /* display information from a transMap table */ { struct ucscRetroInfo *pg = mi->pg; double wt[12]; /* weights on score function*/ char query[512]; char *name; char alignTbl[128]; char scoreSql[128]; struct psl *psl; float coverFactor = 0; float maxOverlap = 0; if (mi->suffix == NULL) { safef(alignTbl, sizeof(alignTbl), "%s%sAli", mi->tblPre, mi->geneSet); - safef(scoreSql, sizeof(scoreSql), "select max(score) from %s%sInfo", mi->tblPre, mi->geneSet); + sqlSafef(scoreSql, sizeof(scoreSql), "select max(score) from %s%sInfo", mi->tblPre, mi->geneSet); } else { safef(alignTbl, sizeof(alignTbl), "%s%sAli%s", mi->tblPre, mi->geneSet, mi->suffix); - safef(scoreSql, sizeof(scoreSql), "select max(score) from %s%sInfo%s", mi->tblPre, mi->geneSet, mi->suffix); + sqlSafef(scoreSql, sizeof(scoreSql), "select max(score) from %s%sInfo%s", mi->tblPre, mi->geneSet, mi->suffix); } printf("<TABLE class=\"transMap\">\n"); printf("<H3>Retrogene Statistics:</H3>\n"); printf("<THEAD>\n"); printf("<TR><TH>Feature<TH>Value </TR>\n"); printf("</THEAD><TBODY>\n"); if (sameString(pg->type, "singleExon")) printf("<TR><TH>Type of Parent<TD>%s</tr>\n",pg->type); else printf("<TR><TH>Expression of Retrogene<TD>%s</TR>\n",pg->type); printf("<TR><TH>Score <TD>%d (range from 0 - %d)</TR>\n", pg->score, sqlQuickNum(conn, scoreSql) ); printf("<TR><TH>Parent Gene Alignment Coverage (Bases Matching Parent) <TD>%d %% (%d bp) </TR>\n", pg->coverage, pg->matches); printf("<TR><TH>Introns Processed Out <TD>%d out of %d (%d exons covered)\n", pg->processedIntrons, (pg->parentSpliceCount/2), pg->exonCover); @@ -600,56 +600,56 @@ printf("<TR><TH>score function<TD>%4.1f+ %4.1f+ %4.1f+ %4.1f+ %4.1f - %4.1f - %4.1f+ %4.1f - %4.1f - %4.1f</td></TR>\n", wt[1]*(log(pg->exonCover+1)/log(2))*200 , wt[2]*(((log(pg->axtScore>0?pg->axtScore:1)/log(2))*170)-1000), wt[3]*(log(pg->polyAlen+2)*200) , wt[4]*overlapOrtholog*10 , wt[5]*(((log(pg->processedIntrons > 0 ? pg->processedIntrons : 1))/log(2))*600) , (float)wt[6]*pow(pg->intronCount,0.5)*750 , (float)wt[7]*(maxOverlap*300), wt[8]*((pg->coverage/100.0)*(1.0-coverFactor)*300.0), wt[9]*(pg->tReps*10), wt[10]*pg->alignGapCount); if (pg->kaku > 0 && pg->kaku < 1000000) printf("<TR><TH>KA/KU mutation rate in non-syn sites vs utr with repect to parent gene<TD>%4.2f</TR>\n", pg->kaku); #endif #ifdef xxx -safef(query, sizeof(query), "select * from refGene where chrom = '%d' and txEnd > %d and txStart %d and name = '%s'", +sqlSafef(query, sizeof(query), "select * from refGene where chrom = '%d' and txEnd > %d and txStart %d and name = '%s'", pg->chrom, pg->gStart, pg->gEnd , pg->overName ); sr = sqlGetResult(conn, query); if ((row = sqlNextRow(sr)) != NULL) overlappingGene = genePredLoad(row); if (overlappingGene != NULL) { printf ("CDS exons %d ",genePredcountCdsExons(overlappingGene)); } #endif printf("</tr>\n"); if ( differentString("none",pg->overName) && sqlFieldIndex(conn, "refGene", "exonFrames") != -1) { - safef(query, sizeof(query), + sqlSafef(query, sizeof(query), "select concat(exonFrames,'(',cdsStart,')') from refGene where name = '%s' and chrom = '%s'" , pg->overName, pg->chrom); if (sqlQuickString(conn, query) != NULL) printf("<TR><TH>Frame of retro %s (start)<TD>%s</TR>\n", pg->overName, sqlQuickString(conn, query)); } name = cloneString(pg->name); chopSuffix(name); -safef(query, sizeof(query), +sqlSafef(query, sizeof(query), "select concat(exonFrames,'(',cdsStart,')') from rbRetroParent where name like '%s%%' and chrom = '%s'" , name, pg->chrom); if (hTableExists(database, "rbRetroParent")) { if ( sqlQuickString(conn, query) != NULL) printf("<TR><TH>Frames of mapped parent %s (start)<TD>%s</TR>\n", name, sqlQuickString(conn, query)); } printf("</TBODY></TABLE>\n"); } static void printRetroAlignments(struct psl *pslList, int startFirst, char *hgcCommand, char *aliTable, char *itemIn) /* Print list of mRNA alignments. */ { @@ -737,60 +737,60 @@ #if 0 geneCheckFree(&gc); #endif mappingInfoFree(&mi); hFreeConn(&conn); } static struct genbankCds getCds(struct sqlConnection *conn, struct mappingInfo *mi) /* Get CDS, return empty genebankCds if not found or can't parse */ { char query[256]; struct sqlResult *sr; struct genbankCds cds; char **row; -safef(query, sizeof(query), +sqlSafef(query, sizeof(query), "select cds.name " "from %s.gbCdnaInfo, %s.cds " "where gbCdnaInfo.acc=\"%s\" and gbCdnaInfo.cds=cds.id", database, database, mi->gbAcc); sr = sqlMustGetResult(conn, query); row = sqlNextRow(sr); if ((row == NULL) || !genbankCdsParse(row[0], &cds)) ZeroVar(&cds); /* can't get or parse cds */ sqlFreeResult(&sr); return cds; } static struct psl *loadAlign(struct sqlConnection *conn, struct mappingInfo *mi, int start) /* load a psl that must exist */ { char rootTable[256], table[256], query[256]; boolean hasBin; struct sqlResult *sr; char **row; struct psl *psl; if (mi->suffix == NULL) safef(rootTable, sizeof(rootTable), "%s%sAli", mi->tblPre, mi->geneSet); else safef(rootTable, sizeof(rootTable), "%s%sAli%s", mi->tblPre, mi->geneSet,mi->suffix); hFindSplitTable(database, seqName, rootTable, table, &hasBin); -safef(query, sizeof(query), "select * from %s where qName = '%s' and tStart = %d", +sqlSafef(query, sizeof(query), "select * from %s where qName = '%s' and tStart = %d", table, mi->pg->name, start); sr = sqlMustGetResult(conn, query); row = sqlNextRow(sr); psl = pslLoad(row+hasBin); sqlFreeResult(&sr); return psl; } void retroShowCdnaAli(char *mappedId) /* Show alignment for accession, mostly ripped off from htcCdnaAli */ { char *track = cartString(cart, "aliTable"); struct trackDb *tdb = hashMustFindVal(trackHash, track); char *table = cartString(cart, "table"); int start = cartInt(cart, "o");