080a160c7b9595d516c9c70e83689a09b60839d0 galt Mon Jun 3 12:16:53 2013 -0700 fix SQL Injection diff --git src/hg/inc/protVar.h src/hg/inc/protVar.h index 9e17d9c..cd28578 100644 --- src/hg/inc/protVar.h +++ src/hg/inc/protVar.h @@ -43,42 +43,31 @@ /* Load all protVar from tab separated file. * Dispose of this with protVarFreeList(). */ struct protVar *protVarLoadByQuery(struct sqlConnection *conn, char *query); /* Load all protVar from table that satisfy the query given. * Where query is of the form 'select * from example where something=something' * or 'select example.* from example, anotherTable where example.something = * anotherTable.something'. * Dispose of this with protVarFreeList(). */ void protVarSaveToDb(struct sqlConnection *conn, struct protVar *el, char *tableName, int updateSize); /* Save protVar as a row to the table specified by tableName. * As blob fields may be arbitrary size updateSize specifies the approx size * of a string that would contain the entire query. Arrays of native types are * converted to comma separated strings and loaded as such, User defined types are - * inserted as NULL. Note that strings must be escaped to allow insertion into the database. - * For example "autosql's features include" --> "autosql\'s features include" - * If worried about this use protVarSaveToDbEscaped() */ - -void protVarSaveToDbEscaped(struct sqlConnection *conn, struct protVar *el, char *tableName, int updateSize); -/* Save protVar as a row to the table specified by tableName. - * As blob fields may be arbitrary size updateSize specifies the approx size. - * of a string that would contain the entire query. Automatically - * escapes all simple strings (not arrays of string) but may be slower than protVarSaveToDb(). - * For example automatically copies and converts: - * "autosql's features include" --> "autosql\'s features include" - * before inserting into database. */ + * inserted as NULL. Strings are automatically escaped to allow insertion into the database. */ struct protVar *protVarCommaIn(char **pS, struct protVar *ret); /* Create a protVar out of a comma separated string. * This will fill in ret if non-null, otherwise will * return a new protVar */ void protVarFree(struct protVar **pEl); /* Free a single dynamically allocated protVar such as created * with protVarLoad(). */ void protVarFreeList(struct protVar **pList); /* Free a list of dynamically allocated protVar's */ void protVarOutput(struct protVar *el, FILE *f, char sep, char lastSep); /* Print out protVar. Separate fields with sep. Follow last field with lastSep. */ @@ -124,42 +113,31 @@ /* Load all protVarPos from tab separated file. * Dispose of this with protVarPosFreeList(). */ struct protVarPos *protVarPosLoadByQuery(struct sqlConnection *conn, char *query); /* Load all protVarPos from table that satisfy the query given. * Where query is of the form 'select * from example where something=something' * or 'select example.* from example, anotherTable where example.something = * anotherTable.something'. * Dispose of this with protVarPosFreeList(). */ void protVarPosSaveToDb(struct sqlConnection *conn, struct protVarPos *el, char *tableName, int updateSize); /* Save protVarPos as a row to the table specified by tableName. * As blob fields may be arbitrary size updateSize specifies the approx size * of a string that would contain the entire query. Arrays of native types are * converted to comma separated strings and loaded as such, User defined types are - * inserted as NULL. Note that strings must be escaped to allow insertion into the database. - * For example "autosql's features include" --> "autosql\'s features include" - * If worried about this use protVarPosSaveToDbEscaped() */ - -void protVarPosSaveToDbEscaped(struct sqlConnection *conn, struct protVarPos *el, char *tableName, int updateSize); -/* Save protVarPos as a row to the table specified by tableName. - * As blob fields may be arbitrary size updateSize specifies the approx size. - * of a string that would contain the entire query. Automatically - * escapes all simple strings (not arrays of string) but may be slower than protVarPosSaveToDb(). - * For example automatically copies and converts: - * "autosql's features include" --> "autosql\'s features include" - * before inserting into database. */ + * inserted as NULL. Strings are automatically escaped to allow insertion into the database. */ struct protVarPos *protVarPosCommaIn(char **pS, struct protVarPos *ret); /* Create a protVarPos out of a comma separated string. * This will fill in ret if non-null, otherwise will * return a new protVarPos */ void protVarPosFree(struct protVarPos **pEl); /* Free a single dynamically allocated protVarPos such as created * with protVarPosLoad(). */ void protVarPosFreeList(struct protVarPos **pList); /* Free a list of dynamically allocated protVarPos's */ void protVarPosOutput(struct protVarPos *el, FILE *f, char sep, char lastSep); /* Print out protVarPos. Separate fields with sep. Follow last field with lastSep. */ @@ -201,42 +179,31 @@ /* Load all protVarAttr from tab separated file. * Dispose of this with protVarAttrFreeList(). */ struct protVarAttr *protVarAttrLoadByQuery(struct sqlConnection *conn, char *query); /* Load all protVarAttr from table that satisfy the query given. * Where query is of the form 'select * from example where something=something' * or 'select example.* from example, anotherTable where example.something = * anotherTable.something'. * Dispose of this with protVarAttrFreeList(). */ void protVarAttrSaveToDb(struct sqlConnection *conn, struct protVarAttr *el, char *tableName, int updateSize); /* Save protVarAttr as a row to the table specified by tableName. * As blob fields may be arbitrary size updateSize specifies the approx size * of a string that would contain the entire query. Arrays of native types are * converted to comma separated strings and loaded as such, User defined types are - * inserted as NULL. Note that strings must be escaped to allow insertion into the database. - * For example "autosql's features include" --> "autosql\'s features include" - * If worried about this use protVarAttrSaveToDbEscaped() */ - -void protVarAttrSaveToDbEscaped(struct sqlConnection *conn, struct protVarAttr *el, char *tableName, int updateSize); -/* Save protVarAttr as a row to the table specified by tableName. - * As blob fields may be arbitrary size updateSize specifies the approx size. - * of a string that would contain the entire query. Automatically - * escapes all simple strings (not arrays of string) but may be slower than protVarAttrSaveToDb(). - * For example automatically copies and converts: - * "autosql's features include" --> "autosql\'s features include" - * before inserting into database. */ + * inserted as NULL. Strings are automatically escaped to allow insertion into the database. */ struct protVarAttr *protVarAttrCommaIn(char **pS, struct protVarAttr *ret); /* Create a protVarAttr out of a comma separated string. * This will fill in ret if non-null, otherwise will * return a new protVarAttr */ void protVarAttrFree(struct protVarAttr **pEl); /* Free a single dynamically allocated protVarAttr such as created * with protVarAttrLoad(). */ void protVarAttrFreeList(struct protVarAttr **pList); /* Free a list of dynamically allocated protVarAttr's */ void protVarAttrOutput(struct protVarAttr *el, FILE *f, char sep, char lastSep); /* Print out protVarAttr. Separate fields with sep. Follow last field with lastSep. */ @@ -280,42 +247,31 @@ /* Load all protVarLink from tab separated file. * Dispose of this with protVarLinkFreeList(). */ struct protVarLink *protVarLinkLoadByQuery(struct sqlConnection *conn, char *query); /* Load all protVarLink from table that satisfy the query given. * Where query is of the form 'select * from example where something=something' * or 'select example.* from example, anotherTable where example.something = * anotherTable.something'. * Dispose of this with protVarLinkFreeList(). */ void protVarLinkSaveToDb(struct sqlConnection *conn, struct protVarLink *el, char *tableName, int updateSize); /* Save protVarLink as a row to the table specified by tableName. * As blob fields may be arbitrary size updateSize specifies the approx size * of a string that would contain the entire query. Arrays of native types are * converted to comma separated strings and loaded as such, User defined types are - * inserted as NULL. Note that strings must be escaped to allow insertion into the database. - * For example "autosql's features include" --> "autosql\'s features include" - * If worried about this use protVarLinkSaveToDbEscaped() */ - -void protVarLinkSaveToDbEscaped(struct sqlConnection *conn, struct protVarLink *el, char *tableName, int updateSize); -/* Save protVarLink as a row to the table specified by tableName. - * As blob fields may be arbitrary size updateSize specifies the approx size. - * of a string that would contain the entire query. Automatically - * escapes all simple strings (not arrays of string) but may be slower than protVarLinkSaveToDb(). - * For example automatically copies and converts: - * "autosql's features include" --> "autosql\'s features include" - * before inserting into database. */ + * inserted as NULL. Strings are automatically escaped to allow insertion into the database. */ struct protVarLink *protVarLinkCommaIn(char **pS, struct protVarLink *ret); /* Create a protVarLink out of a comma separated string. * This will fill in ret if non-null, otherwise will * return a new protVarLink */ void protVarLinkFree(struct protVarLink **pEl); /* Free a single dynamically allocated protVarLink such as created * with protVarLinkLoad(). */ void protVarLinkFreeList(struct protVarLink **pList); /* Free a list of dynamically allocated protVarLink's */ void protVarLinkOutput(struct protVarLink *el, FILE *f, char sep, char lastSep); /* Print out protVarLink. Separate fields with sep. Follow last field with lastSep. */