080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/hgc/txCdsInfo.c src/hg/hgc/txCdsInfo.c
index 0e57c03..2166bc8 100644
--- src/hg/hgc/txCdsInfo.c
+++ src/hg/hgc/txCdsInfo.c
@@ -5,31 +5,31 @@
 #include "hdb.h"
 #include "web.h"
 #include "cdsEvidence.h"
 #include "txInfo.h"
 #include "trackDb.h"
 #include "hgc.h"
 
 
 void showTxInfo(char *geneName, struct trackDb *tdb, char *txInfoTable)
 /* Print out stuff from txInfo table. */
 {
 struct sqlConnection *conn = hAllocConn(database);
 if (sqlTableExists(conn, txInfoTable))
     {
     char query[512];
-    safef(query, sizeof(query), "select * from %s where name='%s'", txInfoTable, geneName);
+    sqlSafef(query, sizeof(query), "select * from %s where name='%s'", txInfoTable, geneName);
     struct sqlResult *sr = sqlGetResult(conn, query);
     char **row;
     if ((row = sqlNextRow(sr)) != NULL)
         {
 	struct txInfo *info = txInfoLoad(row);
 	webNewSection("Transcript Information");
 	webPrintLinkTableStart();
 
 	webPrintLinkCell("<B>category:</B>");
 	webPrintLinkCell(info->category);
 	webPrintLinkCell("<B>nonsense-mediated-decay:</B>");
 	webPrintLinkCell(info->nonsenseMediatedDecay  ? "yes" : "no");
 	webPrintLinkCell("<B>RNA accession:</B>");
 	webPrintLinkCell(info->sourceAcc);
 	webPrintLinkTableNewRow();
@@ -189,35 +189,35 @@
 "<LI><B># of strange splices</B> - The number of introns that have ends which are\n"
 "neither GT/AG, GC/AG, nor AT/AC. Many of these are the result of sequencing\n"
 "errors, or polymorphisms between the DNA donors and the RNA donors.</LI>\n"
 "</UL>\n");
 }
 
 void showCdsEvidence(char *geneName, struct trackDb *tdb, char *evTable)
 /* Print out stuff from cdsEvidence table. */
 {
 struct sqlConnection *conn = hAllocConn(database);
 double bestScore = 0;
 if (sqlTableExists(conn, evTable))
     {
     webNewSection("CDS Prediction Information");
     char query[512];
-    safef(query, sizeof(query), 
+    sqlSafef(query, sizeof(query), 
 	    "select count(*) from %s where name='%s'", evTable, geneName);
     if (sqlQuickNum(conn, query) > 0)
 	{
-	safef(query, sizeof(query), 
+	sqlSafef(query, sizeof(query), 
 		"select * from %s where name='%s' order by score desc", evTable, geneName);
 	struct sqlResult *sr = sqlGetResult(conn, query);
 	char **row;
 
 	webPrintLinkTableStart();
 	webPrintLabelCell("ORF<BR>size");
 	webPrintLabelCell("start in<BR>transcript");
 	webPrintLabelCell("end in<BR>transcript");
 	webPrintLabelCell("source");
 	webPrintLabelCell("accession");
 	webPrintLabelCell("ad-hoc<BR>score");
 	webPrintLabelCell("start<BR>codon");
 	webPrintLabelCell("end<BR>codon");
 	webPrintLabelCell("piece<BR>count");
 	webPrintLabelCell("piece list");