080a160c7b9595d516c9c70e83689a09b60839d0 galt Mon Jun 3 12:16:53 2013 -0700 fix SQL Injection diff --git src/hg/lib/customTrack.c src/hg/lib/customTrack.c index 786f736..56801eb 100644 --- src/hg/lib/customTrack.c +++ src/hg/lib/customTrack.c @@ -49,91 +49,92 @@ tdb->longLabel = cloneString(CT_DEFAULT_TRACK_DESCR); tdb->table = customTrackTableFromLabel(tdb->shortLabel); tdb->track = cloneString(tdb->table); tdb->visibility = tvDense; tdb->grp = cloneString("user"); tdb->type = (char *)NULL; tdb->canPack = 2; /* unknown -- fill in later when type is known */ return tdb; } static void createMetaInfo(struct sqlConnection *conn) /* create the metaInfo table in customTrash db */ { struct dyString *dy = newDyString(1024); -dyStringPrintf(dy, "CREATE TABLE %s (\n", CT_META_INFO); -dyStringPrintf(dy, "name varchar(255) not null,\n"); -dyStringPrintf(dy, "useCount int not null,\n"); -dyStringPrintf(dy, "lastUse datetime not null,\n"); -dyStringPrintf(dy, "PRIMARY KEY(name)\n"); -dyStringPrintf(dy, ")\n"); +sqlDyStringPrintf(dy, "CREATE TABLE %s (\n" + "name varchar(255) not null,\n" + "useCount int not null,\n" + "lastUse datetime not null,\n" + "PRIMARY KEY(name)\n" + ")\n", + CT_META_INFO); sqlUpdate(conn,dy->string); dyStringFree(&dy); } void ctTouchLastUse(struct sqlConnection *conn, char *table, boolean status) /* for status==TRUE - update metaInfo information for table * for status==FALSE - delete entry for table from metaInfo table */ { static boolean exists = FALSE; if (!exists) { if (!sqlTableExists(conn, CT_META_INFO)) createMetaInfo(conn); exists = TRUE; } char query[1024]; if (status) { struct sqlResult *sr = NULL; char **row = NULL; - safef(query, sizeof(query), "SELECT useCount FROM %s WHERE name=\"%s\"", + sqlSafef(query, sizeof(query), "SELECT useCount FROM %s WHERE name=\"%s\"", CT_META_INFO, table); sr = sqlGetResult(conn,query); row = sqlNextRow(sr); if (row) { int useCount = sqlUnsigned(row[0]); sqlFreeResult(&sr); - safef(query, sizeof(query), "UPDATE %s SET useCount=%d,lastUse=now() WHERE name=\"%s\"", + sqlSafef(query, sizeof(query), "UPDATE %s SET useCount=%d,lastUse=now() WHERE name=\"%s\"", CT_META_INFO, useCount+1, table); sqlUpdate(conn,query); } else { sqlFreeResult(&sr); - safef(query, sizeof(query), "INSERT %s VALUES(\"%s\",1,now())", + sqlSafef(query, sizeof(query), "INSERT %s VALUES(\"%s\",1,now())", CT_META_INFO, table); sqlUpdate(conn,query); } } else { - safef(query, sizeof(query), "DELETE FROM %s WHERE name=\"%s\"", + sqlSafef(query, sizeof(query), "DELETE FROM %s WHERE name=\"%s\"", CT_META_INFO, table); sqlUpdate(conn,query); } } boolean verifyWibExists(struct sqlConnection *conn, char *table) /* given a ct database wiggle table, see if the wib file is there */ { char query[1024]; -safef(query, sizeof(query), "SELECT file FROM %s LIMIT 1", table); +sqlSafef(query, sizeof(query), "SELECT file FROM %s LIMIT 1", table); char **row = NULL; struct sqlResult *sr = NULL; sr = sqlGetResult(conn,query); row = sqlNextRow(sr); if (row) { if (fileExists(row[0])) { sqlFreeResult(&sr); return TRUE; } } sqlFreeResult(&sr); return FALSE; } @@ -236,31 +237,31 @@ } track->needsLift = FALSE; } } void customTrackHandleLift(char *db, struct customTrack *ctList) /* lift any tracks with contig coords */ { if (!customTrackNeedsLift(ctList)) return; /* Load up hash of contigs and lift up tracks. */ struct hash *ctgHash = newHash(0); struct ctgPos *ctg, *ctgList = NULL; struct sqlConnection *conn = hAllocConn(db); -struct sqlResult *sr = sqlGetResult(conn, "select * from ctgPos"); +struct sqlResult *sr = sqlGetResult(conn, "NOSQLINJ select * from ctgPos"); char **row; while ((row = sqlNextRow(sr)) != NULL) { ctg = ctgPosLoad(row); slAddHead(&ctgList, ctg); hashAdd(ctgHash, ctg->contig, ctg); } customTrackLift(ctList, ctgHash); ctgPosFreeList(&ctgList); hashFree(&ctgHash); sqlFreeResult(&sr); hFreeConn(&conn); } boolean bogusMacEmptyChars(char *s)