src/hg/hgc/wikiTrack.c 080a160c7b9595d516c9c70e83689a09b60839d0

080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/hgc/wikiTrack.c src/hg/hgc/wikiTrack.c
index c8d18b6..9987c24 100644
--- src/hg/hgc/wikiTrack.c
+++ src/hg/hgc/wikiTrack.c
@@ -91,31 +91,31 @@
 cgiContinueHiddenVar("o");
 hPrintf("\n");
 cgiContinueHiddenVar("l");
 cgiContinueHiddenVar("r");
 hPrintf("\n");
 }
 
 static struct bed *multipleItems(struct wikiTrack *item)
 {
 struct sqlResult *sr;
 char **row;
 struct sqlConnection *wikiConn = wikiConnect();
 char query[1024];
 struct bed *bedList = NULL;
 
-safef(query, ArraySize(query), "SELECT chrom,chromStart,chromEnd,id FROM %s "
+sqlSafef(query, ArraySize(query), "SELECT chrom,chromStart,chromEnd,id FROM %s "
     "WHERE descriptionKey='%s' ORDER BY chrom,chromStart;",
 	WIKI_TRACK_TABLE, item->descriptionKey);
 sr = sqlGetResult(wikiConn, query);
 while ( (row = sqlNextRow(sr)) != NULL)
     {
     int elId = sqlUnsigned(row[3]);
     if (elId == item->id)
 	continue;
     struct bed *bed;
     AllocVar(bed);
     bed->chrom = cloneString(row[0]);
     bed->chromStart = sqlUnsigned(row[1]);
     bed->chromEnd = sqlUnsigned(row[2]);
     bed->score = elId;
     slAddHead(&bedList,bed);
@@ -386,43 +386,43 @@
 	wikiItemId);
     /* if we can get the hgc clicks to add item id to the incoming data,
      *	then use that item Id here
      */
     displayItem(item, userName);
     }
 
 }	/*	void doWikiTrack()	*/
 
 static void updateLastModifiedDate(int id)
 /* set lastModifiedDate to now() */
 {
 char query[512];
 struct sqlConnection *wikiConn = wikiConnect();
 
-safef(query, ArraySize(query),
+sqlSafef(query, ArraySize(query),
     "UPDATE %s set lastModifiedDate=now() WHERE id='%d'",
 	WIKI_TRACK_TABLE, id);
 sqlUpdate(wikiConn,query);
 wikiDisconnect(&wikiConn);
 }
 
 static void deleteItem(int id)
 /* delete the item with specified id */
 {
 char query[512];
 struct sqlConnection *wikiConn = wikiConnect();
-safef(query, ArraySize(query), "DELETE FROM %s WHERE id='%d'",
+sqlSafef(query, ArraySize(query), "DELETE FROM %s WHERE id='%d'",
 	WIKI_TRACK_TABLE, id);
 sqlUpdate(wikiConn,query);
 wikiDisconnect(&wikiConn);
 }
 
 void doDeleteWikiItem(char *wikiItemId, char *chrom, int winStart, int winEnd)
 /* handle delete item clicks for wikiTrack */
 {
 char *userName = NULL;
 struct wikiTrack *item = findWikiItemId(wikiItemId);
 
 cartWebStart(cart, database, "%s (%s)", "User Annotation Track, deleted item: ",
 	item->name);
 if (NULL == wikiItemId)
     errAbort("delete wiki item: NULL wikiItemId");
@@ -534,51 +534,51 @@
 newItem->chromStart = itemStart;
 newItem->chromEnd = itemEnd;
 newItem->name = cloneString(itemName);
 newItem->score = score;
 safef(newItem->strand, sizeof(newItem->strand), "%s", plusStrand ? "+" : "-");
 newItem->db = cloneString(database);
 newItem->owner = cloneString(userName);
 newItem->class = cloneString(class);
 newItem->color = cloneString(color);
 newItem->creationDate = cloneString("0");
 newItem->lastModifiedDate = cloneString("0");
 newItem->descriptionKey = cloneString(descriptionKey);
 newItem->id = 0;
 newItem->geneSymbol = cloneString("0");
 
-wikiTrackSaveToDbEscaped(wikiConn, newItem, WIKI_TRACK_TABLE, 1024);
+wikiTrackSaveToDb(wikiConn, newItem, WIKI_TRACK_TABLE, 1024);
 
 int id = sqlLastAutoId(wikiConn);
 safef(descriptionKey,ArraySize(descriptionKey),
 	"GenomeAnnotation:%s-%d", database, id);
 
 wikiTrackFree(&newItem);
 
 char newItemName[128];
 char query[512];
 if (sameWord(itemName,NEW_ITEM_NAME))
     {
     safef(newItemName, ArraySize(newItemName), "%s-%d", database, id);
-    safef(query, ArraySize(query), "UPDATE %s set creationDate=now(),lastModifiedDate=now(),descriptionKey='%s',name='%s-%d' WHERE id='%d'",
+    sqlSafef(query, ArraySize(query), "UPDATE %s set creationDate=now(),lastModifiedDate=now(),descriptionKey='%s',name='%s-%d' WHERE id='%d'",
 	WIKI_TRACK_TABLE, descriptionKey, database, id, id);
     
     }
 else
     {
     safef(newItemName, ArraySize(newItemName), "%s", itemName);
-    safef(query, ArraySize(query), "UPDATE %s set creationDate=now(),lastModifiedDate=now(),descriptionKey='%s' WHERE id='%d'",
+    sqlSafef(query, ArraySize(query), "UPDATE %s set creationDate=now(),lastModifiedDate=now(),descriptionKey='%s' WHERE id='%d'",
 	WIKI_TRACK_TABLE, descriptionKey, id);
     }
 sqlUpdate(wikiConn,query);
 wikiDisconnect(&wikiConn);
 
 cartWebStart(cart, database, "%s %s", "User Annotation Track, created new item: ",
 	newItemName);
 
 char wikiItemId[64];
 safef(wikiItemId,ArraySize(wikiItemId),"%d", id);
 struct wikiTrack *item = findWikiItemId(wikiItemId);
 
 addDescription(item, userName, seqName, winStart, winEnd, cart, database, NULL,
 	NULL, NEW_ITEM_CATEGORY);
 displayItem(item, userName);