080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/lib/cnpSharpSample.c src/hg/lib/cnpSharpSample.c
index ccabfbb..e2df972 100644
--- src/hg/lib/cnpSharpSample.c
+++ src/hg/lib/cnpSharpSample.c
@@ -87,65 +87,39 @@
 while ((row = sqlNextRow(sr)) != NULL)
     {
     el = cnpSharpSampleLoad(row);
     slAddHead(&list, el);
     }
 slReverse(&list);
 sqlFreeResult(&sr);
 return list;
 }
 
 void cnpSharpSampleSaveToDb(struct sqlConnection *conn, struct cnpSharpSample *el, char *tableName, int updateSize)
 /* Save cnpSharpSample as a row to the table specified by tableName. 
  * As blob fields may be arbitrary size updateSize specifies the approx size
  * of a string that would contain the entire query. Arrays of native types are
  * converted to comma separated strings and loaded as such, User defined types are
- * inserted as NULL. Note that strings must be escaped to allow insertion into the database.
- * For example "autosql's features include" --> "autosql\'s features include" 
- * If worried about this use cnpSharpSampleSaveToDbEscaped() */
+ * inserted as NULL. Strings are automatically escaped to allow insertion into the database. */
 {
 struct dyString *update = newDyString(updateSize);
-dyStringPrintf(update, "insert into %s values ( '%s','%s',%u,%g,'%s')", 
+sqlDyStringPrintf(update, "insert into %s values ( '%s','%s',%u,%g,'%s')", 
 	tableName,  el->bac,  el->sample,  el->batch,  el->value,  el->gender);
 sqlUpdate(conn, update->string);
 freeDyString(&update);
 }
 
-void cnpSharpSampleSaveToDbEscaped(struct sqlConnection *conn, struct cnpSharpSample *el, char *tableName, int updateSize)
-/* Save cnpSharpSample as a row to the table specified by tableName. 
- * As blob fields may be arbitrary size updateSize specifies the approx size.
- * of a string that would contain the entire query. Automatically 
- * escapes all simple strings (not arrays of string) but may be slower than cnpSharpSampleSaveToDb().
- * For example automatically copies and converts: 
- * "autosql's features include" --> "autosql\'s features include" 
- * before inserting into database. */ 
-{
-struct dyString *update = newDyString(updateSize);
-char  *bac, *sample, *gender;
-bac = sqlEscapeString(el->bac);
-sample = sqlEscapeString(el->sample);
-gender = sqlEscapeString(el->gender);
-
-dyStringPrintf(update, "insert into %s values ( '%s','%s',%u,%g,'%s')", 
-	tableName,  bac,  sample, el->batch , el->value ,  gender);
-sqlUpdate(conn, update->string);
-freeDyString(&update);
-freez(&bac);
-freez(&sample);
-freez(&gender);
-}
-
 struct cnpSharpSample *cnpSharpSampleCommaIn(char **pS, struct cnpSharpSample *ret)
 /* Create a cnpSharpSample out of a comma separated string. 
  * This will fill in ret if non-null, otherwise will
  * return a new cnpSharpSample */
 {
 char *s = *pS;
 
 if (ret == NULL)
     AllocVar(ret);
 ret->bac = sqlStringComma(&s);
 ret->sample = sqlStringComma(&s);
 ret->batch = sqlUnsignedComma(&s);
 ret->value = sqlFloatComma(&s);
 ret->gender = sqlStringComma(&s);
 *pS = s;