080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/lib/affy120KDetails.c src/hg/lib/affy120KDetails.c
index 7672adb..54fcc72 100644
--- src/hg/lib/affy120KDetails.c
+++ src/hg/lib/affy120KDetails.c
@@ -204,178 +204,39 @@
 while ((row = sqlNextRow(sr)) != NULL)
     {
     el = affy120KDetailsLoad(row);
     slAddHead(&list, el);
     }
 slReverse(&list);
 sqlFreeResult(&sr);
 return list;
 }
 
 void affy120KDetailsSaveToDb(struct sqlConnection *conn, struct affy120KDetails *el, char *tableName, int updateSize)
 /* Save affy120KDetails as a row to the table specified by tableName. 
  * As blob fields may be arbitrary size updateSize specifies the approx size
  * of a string that would contain the entire query. Arrays of native types are
  * converted to comma separated strings and loaded as such, User defined types are
- * inserted as NULL. Note that strings must be escaped to allow insertion into the database.
- * For example "autosql's features include" --> "autosql\'s features include" 
- * If worried about this use affy120KDetailsSaveToDbEscaped() */
+ * inserted as NULL. Strings are automatically escaped to allow insertion into the database. */
 {
 struct dyString *update = newDyString(updateSize);
-dyStringPrintf(update, "insert into %s values ( %d,'%s','%s','%s','%s','%s','%s',%f,%f,%f,'%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s')", 
+sqlDyStringPrintf(update, "insert into %s values ( %d,'%s','%s','%s','%s','%s','%s',%f,%f,%f,'%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s')", 
 	tableName,  el->affyId,  el->rsId,  el->baseA,  el->baseB,  el->sequenceA,  el->sequenceB,  el->enzyme,  el->minFreq,  el->hetzyg,  el->avHetSE,  el->NA04477,  el->NA04479,  el->NA04846,  el->NA11036,  el->NA11038,  el->NA13056,  el->NA17011,  el->NA17012,  el->NA17013,  el->NA17014,  el->NA17015,  el->NA17016,  el->NA17101,  el->NA17102,  el->NA17103,  el->NA17104,  el->NA17105,  el->NA17106,  el->NA17201,  el->NA17202,  el->NA17203,  el->NA17204,  el->NA17205,  el->NA17206,  el->NA17207,  el->NA17208,  el->NA17210,  el->NA17211,  el->NA17212,  el->NA17213,  el->PD01,  el->PD02,  el->PD03,  el->PD04,  el->PD05,  el->PD06,  el->PD07,  el->PD08,  el->PD09,  el->PD10,  el->PD11,  el->PD12,  el->PD13,  el->PD14,  el->PD15,  el->PD16,  el->PD17,  el->PD18,  el->PD19,  el->PD20,  el->PD21,  el->PD22,  el->PD23,  el->PD24);
 sqlUpdate(conn, update->string);
 freeDyString(&update);
 }
 
-void affy120KDetailsSaveToDbEscaped(struct sqlConnection *conn, struct affy120KDetails *el, char *tableName, int updateSize)
-/* Save affy120KDetails as a row to the table specified by tableName. 
- * As blob fields may be arbitrary size updateSize specifies the approx size.
- * of a string that would contain the entire query. Automatically 
- * escapes all simple strings (not arrays of string) but may be slower than affy120KDetailsSaveToDb().
- * For example automatically copies and converts: 
- * "autosql's features include" --> "autosql\'s features include" 
- * before inserting into database. */ 
-{
-struct dyString *update = newDyString(updateSize);
-char  *rsId, *baseA, *baseB, *sequenceA, *sequenceB, *enzyme, *NA04477, *NA04479, *NA04846, *NA11036, *NA11038, *NA13056, *NA17011, *NA17012, *NA17013, *NA17014, *NA17015, *NA17016, *NA17101, *NA17102, *NA17103, *NA17104, *NA17105, *NA17106, *NA17201, *NA17202, *NA17203, *NA17204, *NA17205, *NA17206, *NA17207, *NA17208, *NA17210, *NA17211, *NA17212, *NA17213, *PD01, *PD02, *PD03, *PD04, *PD05, *PD06, *PD07, *PD08, *PD09, *PD10, *PD11, *PD12, *PD13, *PD14, *PD15, *PD16, *PD17, *PD18, *PD19, *PD20, *PD21, *PD22, *PD23, *PD24;
-rsId = sqlEscapeString(el->rsId);
-baseA = sqlEscapeString(el->baseA);
-baseB = sqlEscapeString(el->baseB);
-sequenceA = sqlEscapeString(el->sequenceA);
-sequenceB = sqlEscapeString(el->sequenceB);
-enzyme = sqlEscapeString(el->enzyme);
-NA04477 = sqlEscapeString(el->NA04477);
-NA04479 = sqlEscapeString(el->NA04479);
-NA04846 = sqlEscapeString(el->NA04846);
-NA11036 = sqlEscapeString(el->NA11036);
-NA11038 = sqlEscapeString(el->NA11038);
-NA13056 = sqlEscapeString(el->NA13056);
-NA17011 = sqlEscapeString(el->NA17011);
-NA17012 = sqlEscapeString(el->NA17012);
-NA17013 = sqlEscapeString(el->NA17013);
-NA17014 = sqlEscapeString(el->NA17014);
-NA17015 = sqlEscapeString(el->NA17015);
-NA17016 = sqlEscapeString(el->NA17016);
-NA17101 = sqlEscapeString(el->NA17101);
-NA17102 = sqlEscapeString(el->NA17102);
-NA17103 = sqlEscapeString(el->NA17103);
-NA17104 = sqlEscapeString(el->NA17104);
-NA17105 = sqlEscapeString(el->NA17105);
-NA17106 = sqlEscapeString(el->NA17106);
-NA17201 = sqlEscapeString(el->NA17201);
-NA17202 = sqlEscapeString(el->NA17202);
-NA17203 = sqlEscapeString(el->NA17203);
-NA17204 = sqlEscapeString(el->NA17204);
-NA17205 = sqlEscapeString(el->NA17205);
-NA17206 = sqlEscapeString(el->NA17206);
-NA17207 = sqlEscapeString(el->NA17207);
-NA17208 = sqlEscapeString(el->NA17208);
-NA17210 = sqlEscapeString(el->NA17210);
-NA17211 = sqlEscapeString(el->NA17211);
-NA17212 = sqlEscapeString(el->NA17212);
-NA17213 = sqlEscapeString(el->NA17213);
-PD01 = sqlEscapeString(el->PD01);
-PD02 = sqlEscapeString(el->PD02);
-PD03 = sqlEscapeString(el->PD03);
-PD04 = sqlEscapeString(el->PD04);
-PD05 = sqlEscapeString(el->PD05);
-PD06 = sqlEscapeString(el->PD06);
-PD07 = sqlEscapeString(el->PD07);
-PD08 = sqlEscapeString(el->PD08);
-PD09 = sqlEscapeString(el->PD09);
-PD10 = sqlEscapeString(el->PD10);
-PD11 = sqlEscapeString(el->PD11);
-PD12 = sqlEscapeString(el->PD12);
-PD13 = sqlEscapeString(el->PD13);
-PD14 = sqlEscapeString(el->PD14);
-PD15 = sqlEscapeString(el->PD15);
-PD16 = sqlEscapeString(el->PD16);
-PD17 = sqlEscapeString(el->PD17);
-PD18 = sqlEscapeString(el->PD18);
-PD19 = sqlEscapeString(el->PD19);
-PD20 = sqlEscapeString(el->PD20);
-PD21 = sqlEscapeString(el->PD21);
-PD22 = sqlEscapeString(el->PD22);
-PD23 = sqlEscapeString(el->PD23);
-PD24 = sqlEscapeString(el->PD24);
-
-dyStringPrintf(update, "insert into %s values ( %d,'%s','%s','%s','%s','%s','%s',%f,%f,%f,'%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s')", 
-	tableName, el->affyId ,  rsId,  baseA,  baseB,  sequenceA,  sequenceB,  enzyme, el->minFreq , el->hetzyg , el->avHetSE ,  NA04477,  NA04479,  NA04846,  NA11036,  NA11038,  NA13056,  NA17011,  NA17012,  NA17013,  NA17014,  NA17015,  NA17016,  NA17101,  NA17102,  NA17103,  NA17104,  NA17105,  NA17106,  NA17201,  NA17202,  NA17203,  NA17204,  NA17205,  NA17206,  NA17207,  NA17208,  NA17210,  NA17211,  NA17212,  NA17213,  PD01,  PD02,  PD03,  PD04,  PD05,  PD06,  PD07,  PD08,  PD09,  PD10,  PD11,  PD12,  PD13,  PD14,  PD15,  PD16,  PD17,  PD18,  PD19,  PD20,  PD21,  PD22,  PD23,  PD24);
-sqlUpdate(conn, update->string);
-freeDyString(&update);
-freez(&rsId);
-freez(&baseA);
-freez(&baseB);
-freez(&sequenceA);
-freez(&sequenceB);
-freez(&enzyme);
-freez(&NA04477);
-freez(&NA04479);
-freez(&NA04846);
-freez(&NA11036);
-freez(&NA11038);
-freez(&NA13056);
-freez(&NA17011);
-freez(&NA17012);
-freez(&NA17013);
-freez(&NA17014);
-freez(&NA17015);
-freez(&NA17016);
-freez(&NA17101);
-freez(&NA17102);
-freez(&NA17103);
-freez(&NA17104);
-freez(&NA17105);
-freez(&NA17106);
-freez(&NA17201);
-freez(&NA17202);
-freez(&NA17203);
-freez(&NA17204);
-freez(&NA17205);
-freez(&NA17206);
-freez(&NA17207);
-freez(&NA17208);
-freez(&NA17210);
-freez(&NA17211);
-freez(&NA17212);
-freez(&NA17213);
-freez(&PD01);
-freez(&PD02);
-freez(&PD03);
-freez(&PD04);
-freez(&PD05);
-freez(&PD06);
-freez(&PD07);
-freez(&PD08);
-freez(&PD09);
-freez(&PD10);
-freez(&PD11);
-freez(&PD12);
-freez(&PD13);
-freez(&PD14);
-freez(&PD15);
-freez(&PD16);
-freez(&PD17);
-freez(&PD18);
-freez(&PD19);
-freez(&PD20);
-freez(&PD21);
-freez(&PD22);
-freez(&PD23);
-freez(&PD24);
-}
 
 struct affy120KDetails *affy120KDetailsCommaIn(char **pS, struct affy120KDetails *ret)
 /* Create a affy120KDetails out of a comma separated string. 
  * This will fill in ret if non-null, otherwise will
  * return a new affy120KDetails */
 {
 char *s = *pS;
 
 if (ret == NULL)
     AllocVar(ret);
 ret->affyId = sqlSignedComma(&s);
 ret->rsId = sqlStringComma(&s);
 sqlFixedStringComma(&s, ret->baseA, sizeof(ret->baseA));
 sqlFixedStringComma(&s, ret->baseB, sizeof(ret->baseB));
 sqlFixedStringComma(&s, ret->sequenceA, sizeof(ret->sequenceA));