080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/lib/columnInfo.c src/hg/lib/columnInfo.c
index 3b003e9..580ccbc 100644
--- src/hg/lib/columnInfo.c
+++ src/hg/lib/columnInfo.c
@@ -82,71 +82,39 @@
 	for(i=2; i<colCount-1; i++)
 	    row[i] = row[i+1];
     el = columnInfoLoad(row);
     slAddHead(&list, el);
     }
 slReverse(&list);
 sqlFreeResult(&sr);
 return list;
 }
 
 void columnInfoSaveToDb(struct sqlConnection *conn, struct columnInfo *el, char *tableName, int updateSize)
 /* Save columnInfo as a row to the table specified by tableName. 
  * As blob fields may be arbitrary size updateSize specifies the approx size
  * of a string that would contain the entire query. Arrays of native types are
  * converted to comma separated strings and loaded as such, User defined types are
- * inserted as NULL. Note that strings must be escaped to allow insertion into the database.
- * For example "autosql's features include" --> "autosql\'s features include" 
- * If worried about this use columnInfoSaveToDbEscaped() */
+ * inserted as NULL. Strings are automatically escaped to allow insertion into the database. */
 {
 struct dyString *update = newDyString(updateSize);
-dyStringPrintf(update, "insert into %s values ( '%s','%s','%s','%s','%s','%s')", 
+sqlDyStringPrintf(update, "insert into %s values ( '%s','%s','%s','%s','%s','%s')", 
 	tableName,  el->name,  el->type,  el->nullAllowed,  el->key,  el->defaultVal,  el->extra);
 sqlUpdate(conn, update->string);
 freeDyString(&update);
 }
 
-void columnInfoSaveToDbEscaped(struct sqlConnection *conn, struct columnInfo *el, char *tableName, int updateSize)
-/* Save columnInfo as a row to the table specified by tableName. 
- * As blob fields may be arbitrary size updateSize specifies the approx size.
- * of a string that would contain the entire query. Automatically 
- * escapes all simple strings (not arrays of string) but may be slower than columnInfoSaveToDb().
- * For example automatically copies and converts: 
- * "autosql's features include" --> "autosql\'s features include" 
- * before inserting into database. */ 
-{
-struct dyString *update = newDyString(updateSize);
-char  *name, *type, *nullAllowed, *key, *defaultVal, *extra;
-name = sqlEscapeString(el->name);
-type = sqlEscapeString(el->type);
-nullAllowed = sqlEscapeString(el->nullAllowed);
-key = sqlEscapeString(el->key);
-defaultVal = sqlEscapeString(el->defaultVal);
-extra = sqlEscapeString(el->extra);
-
-dyStringPrintf(update, "insert into %s values ( '%s','%s','%s','%s','%s','%s')", 
-	tableName,  name,  type,  nullAllowed,  key,  defaultVal,  extra);
-sqlUpdate(conn, update->string);
-freeDyString(&update);
-freez(&name);
-freez(&type);
-freez(&nullAllowed);
-freez(&key);
-freez(&defaultVal);
-freez(&extra);
-}
-
 struct columnInfo *columnInfoCommaIn(char **pS, struct columnInfo *ret)
 /* Create a columnInfo out of a comma separated string. 
  * This will fill in ret if non-null, otherwise will
  * return a new columnInfo */
 {
 char *s = *pS;
 
 if (ret == NULL)
     AllocVar(ret);
 ret->name = sqlStringComma(&s);
 ret->type = sqlStringComma(&s);
 ret->nullAllowed = sqlStringComma(&s);
 ret->key = sqlStringComma(&s);
 ret->defaultVal = sqlStringComma(&s);
 ret->extra = sqlStringComma(&s);