080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/lib/chainNetDbLoad.c src/hg/lib/chainNetDbLoad.c
index 38fe9db..30661b6 100644
--- src/hg/lib/chainNetDbLoad.c
+++ src/hg/lib/chainNetDbLoad.c
@@ -221,50 +221,50 @@
 /* Load some or all of chain. */
 {
 struct sqlConnection *conn;
 struct sqlResult *sr;
 char **row;
 char table[64];
 boolean hasBin;
 struct chain *chain;
 char query[256];
 struct dyString *dy = newDyString(128);
 
 /* Load chain header. */
 if (!hFindSplitTable(database, chrom, track, table, &hasBin))
    errAbort("%s table is not in %s", track, database);
 conn = sqlConnect(database);
-snprintf(query, sizeof(query),
+sqlSafef(query, sizeof(query),
 	"select * from %s where id = %d", table, id);
 sr = sqlGetResult(conn, query);
 if ((row = sqlNextRow(sr)) == NULL)
     errAbort("chain %d is not in %s", id, table);
 chain = chainHeadLoad(row+hasBin);
 sqlFreeResult(&sr);
 
 /* Load links. */
 if (loadAll)
     {
-    dyStringPrintf(dy, 
+    sqlDyStringPrintf(dy, 
 	 "select * from %sLink where chainId = %d", table, id);
     }
 else
     {
-    dyStringPrintf(dy, 
+    sqlDyStringPrintf(dy, 
 	 "select * from %sLink where ",table );
     hAddBinToQuery(start, end, dy);
-    dyStringPrintf(dy," chainId = %d and tStart < %d and tEnd > %d", id, end, start);
+    sqlDyStringPrintf(dy," chainId = %d and tStart < %d and tEnd > %d", id, end, start);
     }
 sr = sqlGetResult(conn, dy->string);
 chainLinkAddResult(sr, hasBin, chain);
 sqlFreeResult(&sr);
 sqlDisconnect(&conn);
 freeDyString(&dy);
 return chain;
 }
 
 struct chain *chainLoadIdRange(char *database, char *track, char *chrom, 
 	int start, int end, int id)
 /* Load parts of chain of given ID from database.  Note the chain header
  * including score, tStart, tEnd, will still reflect the whole chain,
  * not just the part in range.  However only the blocks of the chain
  * overlapping the range will be loaded. */