080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/lib/ec.c src/hg/lib/ec.c
index fe9f39a..448a31a 100644
--- src/hg/lib/ec.c
+++ src/hg/lib/ec.c
@@ -10,45 +10,45 @@
 {
 char query[1024];
 struct sqlConnection *conn = hAllocConn("ec");
 char *level1 = NULL;
 char *level2 = NULL;
 char *level3 = NULL;
 //char *level4 = NULL;
 struct ecAttribute attr;
 char **row = NULL;
 struct sqlResult *sr = NULL;
 
 if (ecNumber == NULL)
     return;
 if (conn == NULL)
     return;
-safef(query,sizeof(query), "select distinct e.description from ecAttribute a , ecCode e where a.ec = \"%s\" and a.level1 = e.level1 and e.level2 = 0 ",ecNumber);
+sqlSafef(query,sizeof(query), "select distinct e.description from ecAttribute a , ecCode e where a.ec = \"%s\" and a.level1 = e.level1 and e.level2 = 0 ",ecNumber);
 level1 = sqlQuickString(conn, query);
-safef(query,sizeof(query), "select distinct e.description from ecAttribute a , ecCode e where a.ec = \"%s\" and a.level1 = e.level1 and a.level2 = e.level2 and e.level3 = 0 ",ecNumber);
+sqlSafef(query,sizeof(query), "select distinct e.description from ecAttribute a , ecCode e where a.ec = \"%s\" and a.level1 = e.level1 and a.level2 = e.level2 and e.level3 = 0 ",ecNumber);
 level2 = sqlQuickString(conn, query);
-safef(query,sizeof(query), "select distinct e.description from ecAttribute a , ecCode e where a.ec = \"%s\" and a.level1 = e.level1 and a.level2 = e.level2 and a.level3 = e.level3 and e.level4 = 0 ",ecNumber);
+sqlSafef(query,sizeof(query), "select distinct e.description from ecAttribute a , ecCode e where a.ec = \"%s\" and a.level1 = e.level1 and a.level2 = e.level2 and a.level3 = e.level3 and e.level4 = 0 ",ecNumber);
 level3 = sqlQuickString(conn, query);
-//safef(query,sizeof(query), "select distinct description from ecAttribute a where a.ec = \"%s\" ",ecNumber);
+//sqlSafef(query,sizeof(query), "select distinct description from ecAttribute a where a.ec = \"%s\" ",ecNumber);
 //level4 = sqlQuickString(conn, query);
 
 printf("[ %s / %s / %s ] <BR>",
         (level1 != NULL) ? level1 :"n/a", 
         (level2 != NULL) ? level2 :"n/a", 
         (level3 != NULL) ? level3 :"n/a"
 //        (level4 != NULL) ? level4 :"n/a"
         );
-safef(query,sizeof(query), "select * from ecAttribute a where a.ec = \"%s\"",ecNumber);
+sqlSafef(query,sizeof(query), "select * from ecAttribute a where a.ec = \"%s\"",ecNumber);
 sr = sqlGetResult(conn, query);
 while ((row = sqlNextRow(sr)) != NULL)
     {
     char *attrDesc = NULL;
     struct sqlConnection *conn2 = hAllocConn("ec");
     ecAttributeStaticLoad(row, &attr);
-    safef(query,sizeof(query), "select description from ecAttributeCode where type = \"%s\" ",attr.type);
+    sqlSafef(query,sizeof(query), "select description from ecAttributeCode where type = \"%s\" ",attr.type);
     attrDesc = sqlQuickString(conn2, query);
     if (differentString(attr.type, "DR"))
         printf("<B>EC %s:</B> %s<BR>", attrDesc != NULL ? attrDesc : "n/a",attr.description);
     hFreeConn(&conn2);
     }
 hFreeConn(&conn);
 }