080a160c7b9595d516c9c70e83689a09b60839d0 galt Mon Jun 3 12:16:53 2013 -0700 fix SQL Injection diff --git src/hg/lib/altGraphX.c src/hg/lib/altGraphX.c index 8362dac..3dc7c4f 100644 --- src/hg/lib/altGraphX.c +++ src/hg/lib/altGraphX.c @@ -160,97 +160,56 @@ while ((row = sqlNextRow(sr)) != NULL) { el = altGraphXLoad(row+offSet); slAddHead(&list, el); } slReverse(&list); sqlFreeResult(&sr); return list; } void altGraphXSaveToDb(struct sqlConnection *conn, struct altGraphX *el, char *tableName, int updateSize) /* Save altGraphX as a row to the table specified by tableName. * As blob fields may be arbitrary size updateSize specifies the approx size * of a string that would contain the entire query. Arrays of native types are * converted to comma separated strings and loaded as such, User defined types are - * inserted as NULL. Note that strings must be escaped to allow insertion into the database. - * For example "autosql's features include" --> "autosql\'s features include" - * If worried about this use altGraphXSaveToDbEscaped() */ + * inserted as NULL. Strings are automatically escaped to allow insertion into the database. */ { struct dyString *update = newDyString(updateSize); char *vTypesArray, *vPositionsArray, *edgeStartsArray, *edgeEndsArray, *edgeTypesArray, *mrnaRefsArray, *mrnaTissuesArray, *mrnaLibsArray; vTypesArray = sqlUbyteArrayToString(el->vTypes, el->vertexCount); vPositionsArray = sqlSignedArrayToString(el->vPositions, el->vertexCount); edgeStartsArray = sqlSignedArrayToString(el->edgeStarts, el->edgeCount); edgeEndsArray = sqlSignedArrayToString(el->edgeEnds, el->edgeCount); edgeTypesArray = sqlSignedArrayToString(el->edgeTypes, el->edgeCount); mrnaRefsArray = sqlStringArrayToString(el->mrnaRefs, el->mrnaRefCount); mrnaTissuesArray = sqlSignedArrayToString(el->mrnaTissues, el->mrnaRefCount); mrnaLibsArray = sqlSignedArrayToString(el->mrnaLibs, el->mrnaRefCount); -dyStringPrintf(update, "insert into %s values ( '%s',%d,%d,'%s',%u,'%s',%u,'%s','%s',%u,'%s','%s', NULL ,'%s',%d,'%s','%s','%s')", +sqlDyStringPrintf(update, "insert into %s values ( '%s',%d,%d,'%s',%u,'%s',%u,'%s','%s',%u,'%s','%s', NULL ,'%s',%d,'%s','%s','%s')", tableName, el->tName, el->tStart, el->tEnd, el->name, el->id, el->strand, el->vertexCount, vTypesArray , vPositionsArray , el->edgeCount, edgeStartsArray , edgeEndsArray , edgeTypesArray , el->mrnaRefCount, mrnaRefsArray , mrnaTissuesArray , mrnaLibsArray ); sqlUpdate(conn, update->string); freeDyString(&update); freez(&vTypesArray); freez(&vPositionsArray); freez(&edgeStartsArray); freez(&edgeEndsArray); freez(&edgeTypesArray); freez(&mrnaRefsArray); freez(&mrnaTissuesArray); freez(&mrnaLibsArray); } -void altGraphXSaveToDbEscaped(struct sqlConnection *conn, struct altGraphX *el, char *tableName, int updateSize) -/* Save altGraphX as a row to the table specified by tableName. - * As blob fields may be arbitrary size updateSize specifies the approx size. - * of a string that would contain the entire query. Automatically - * escapes all simple strings (not arrays of string) but may be slower than altGraphXSaveToDb(). - * For example automatically copies and converts: - * "autosql's features include" --> "autosql\'s features include" - * before inserting into database. */ -{ -struct dyString *update = newDyString(updateSize); -char *tName, *name, *strand, *vTypesArray, *vPositionsArray, *edgeStartsArray, *edgeEndsArray, *edgeTypesArray, *mrnaRefsArray, *mrnaTissuesArray, *mrnaLibsArray; -tName = sqlEscapeString(el->tName); -name = sqlEscapeString(el->name); -strand = sqlEscapeString(el->strand); - -vTypesArray = sqlUbyteArrayToString(el->vTypes, el->vertexCount); -vPositionsArray = sqlSignedArrayToString(el->vPositions, el->vertexCount); -edgeStartsArray = sqlSignedArrayToString(el->edgeStarts, el->edgeCount); -edgeEndsArray = sqlSignedArrayToString(el->edgeEnds, el->edgeCount); -edgeTypesArray = sqlSignedArrayToString(el->edgeTypes, el->edgeCount); -mrnaRefsArray = sqlStringArrayToString(el->mrnaRefs, el->mrnaRefCount); -mrnaTissuesArray = sqlSignedArrayToString(el->mrnaTissues, el->mrnaRefCount); -mrnaLibsArray = sqlSignedArrayToString(el->mrnaLibs, el->mrnaRefCount); -dyStringPrintf(update, "insert into %s values ( '%s',%d,%d,'%s',%u,'%s',%u,'%s','%s',%u,'%s','%s', NULL ,'%s',%d,'%s','%s','%s')", - tableName, tName, el->tStart , el->tEnd , name, el->id , strand, el->vertexCount , vTypesArray , vPositionsArray , el->edgeCount , edgeStartsArray , edgeEndsArray , edgeTypesArray , el->mrnaRefCount , mrnaRefsArray , mrnaTissuesArray , mrnaLibsArray ); -sqlUpdate(conn, update->string); -freeDyString(&update); -freez(&tName); -freez(&name); -freez(&strand); -freez(&vTypesArray); -freez(&vPositionsArray); -freez(&edgeStartsArray); -freez(&edgeEndsArray); -freez(&edgeTypesArray); -freez(&mrnaRefsArray); -freez(&mrnaTissuesArray); -freez(&mrnaLibsArray); -} struct altGraphX *altGraphXCommaIn(char **pS, struct altGraphX *ret) /* Create a altGraphX out of a comma separated string. * This will fill in ret if non-null, otherwise will * return a new altGraphX */ { char *s = *pS; int i; if (ret == NULL) AllocVar(ret); ret->tName = sqlStringComma(&s); ret->tStart = sqlSignedComma(&s); ret->tEnd = sqlSignedComma(&s); ret->name = sqlStringComma(&s); @@ -1031,31 +990,31 @@ { struct evidence *ev = slElementFromIx(ag->evidence, edge); return ev->evCount; } struct bed *createBedFromEdges( struct altGraphX *ag, int fpEdge, int cassEdge, int tpEdge) /* Put the edges together to from a bed structure. */ { int *vPos = ag->vPositions; int *starts = ag->edgeStarts; int *ends = ag->edgeEnds; struct bed *bed; int numBlocks = 3; AllocVar(bed); bed->chrom = cloneString(ag->tName); -snprintf(bed->strand, sizeof(bed->strand), "%s", ag->strand); +safef(bed->strand, sizeof(bed->strand), "%s", ag->strand); bed->chromStart = bed->thickStart = vPos[starts[fpEdge]]; bed->chromEnd = bed->thickEnd = vPos[ends[tpEdge]]; bed->name = cloneString(ag->name); bed->blockCount = numBlocks; AllocArray(bed->blockSizes, numBlocks); AllocArray(bed->chromStarts, numBlocks); bed->blockSizes[0] = vPos[ends[fpEdge]] - vPos[starts[fpEdge]]; bed->blockSizes[1] = vPos[ends[cassEdge]] - vPos[starts[cassEdge]]; bed->blockSizes[2] = vPos[ends[tpEdge]] - vPos[starts[tpEdge]]; bed->chromStarts[0] = vPos[starts[fpEdge]] -bed->chromStart; bed->chromStarts[1] = vPos[starts[cassEdge]] - bed->chromStart; bed->chromStarts[2] = vPos[starts[tpEdge]] -bed->chromStart; bed->score = getEvidenceCount(ag,fpEdge)+ getEvidenceCount(ag, tpEdge); bed->expCount = numBlocks; @@ -1757,33 +1716,33 @@ int width = ag->tEnd - ag->tStart; int *tmp = NULL; for(i=0; ivertexCount; i++) { ag->vPositions[i] = (width - (ag->vPositions[i] - ag->tStart)) + ag->tStart; if(ag->vTypes[i] == ggHardEnd) ag->vTypes[i] = ggHardStart; else if(ag->vTypes[i] ==ggHardStart) ag->vTypes[i] = ggHardEnd; else if(ag->vTypes[i] == ggSoftEnd) ag->vTypes[i] = ggSoftStart; else if(ag->vTypes[i] == ggSoftStart) ag->vTypes[i] = ggSoftEnd; } if(sameString(ag->strand, "+")) - snprintf(ag->strand, sizeof(ag->strand), "%s", "-"); + safef(ag->strand, sizeof(ag->strand), "%s", "-"); else if(sameString(ag->strand, "-")) - snprintf(ag->strand, sizeof(ag->strand), "%s", "+"); + safef(ag->strand, sizeof(ag->strand), "%s", "+"); else errAbort("altGraphX::altGraphXReverseComplement() - Don't recognize strand: %s", ag->strand); tmp = ag->edgeEnds; ag->edgeEnds = ag->edgeStarts; ag->edgeStarts = tmp; } int altGraphXGetEdgeNum(struct altGraphX *ag, int v1, int v2) /** Find the edge index that corresponds to v1 and v2 */ { int eC = ag->edgeCount; int i=0; for(i=0;iedgeStarts[i] == v1 && ag->edgeEnds[i] == v2)