src/hg/lib/chromInfo.c 080a160c7b9595d516c9c70e83689a09b60839d0

080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/lib/chromInfo.c src/hg/lib/chromInfo.c
index 8d26c64..2aff7ca 100644
--- src/hg/lib/chromInfo.c
+++ src/hg/lib/chromInfo.c
@@ -128,31 +128,31 @@
 /* -------------------------------- End autoSql Generated Code -------------------------------- */
 
 boolean chromSeqFileExists(char *db, char *chrom)
 /* Check whether chromInfo exists for a database, find the path of the */
 /* sequence file for this chromosome and check if the file exists. */
 {
 char seqFile[512];
 struct sqlConnection *conn = sqlConnect(db);
 char query[256];
 char *res = NULL;
 boolean exists = FALSE;
 
 /* if the database exists, check for the chromInfo file */
 if (sqlDatabaseExists(db))
     {
-    safef(query, sizeof(query), "select fileName from chromInfo where chrom = '%s'", chrom);
+    sqlSafef(query, sizeof(query), "select fileName from chromInfo where chrom = '%s'", chrom);
     res = sqlQuickQuery(conn, query, seqFile, 512);
     sqlDisconnect(&conn);
     }
 
 /* if there is not table or no information in the table or if the table */
 /* exists but the file can not be opened return false, otherwise sequence */
 /* file exists and return true */
 if (res != NULL)
     {
     /* chromInfo table exists so check that sequence file can be opened */
     FILE *f = fopen(seqFile, "rb");
     if (f != NULL)
         {
         exists = TRUE;
         fclose(f);
@@ -163,35 +163,35 @@
 
 
 struct chromInfo *createChromInfoList(char *name, char *database)
 /* Load up chromosome information for chrom 'name'.
  * If name is NULL or "all" then load all chroms.
  * Similar to featureBits.c - could be moved to library */
 {
 struct sqlConnection *conn = hAllocConn(database);
 struct sqlResult *sr = NULL;
 char **row;
 int loaded=0;
 struct chromInfo *ret = NULL;
 unsigned totalSize = 0;
 /* do the query */
 if (!name || sameWord(name, "all"))
-    sr = sqlGetResult(conn, "select * from chromInfo");
+    sr = sqlGetResult(conn, "NOSQLINJ select * from chromInfo");
 else
     {
     char select[256];
-    safef(select, ArraySize(select), "select * from chromInfo where chrom='%s'", name);
+    sqlSafef(select, ArraySize(select), "select * from chromInfo where chrom='%s'", name);
     sr = sqlGetResult(conn, select);
     }
 /* read the rows and build the chromInfo list */
 while ((row = sqlNextRow(sr)) != NULL)
     {
     struct chromInfo *el;
     struct chromInfo *ci;
     AllocVar(ci);
     el = chromInfoLoad(row);
     ci->chrom = cloneString(el->chrom);
     ci->size = el->size;
     totalSize += el->size;
     slAddHead(&ret, ci);
     ++loaded;
     }