080a160c7b9595d516c9c70e83689a09b60839d0 galt Mon Jun 3 12:16:53 2013 -0700 fix SQL Injection diff --git src/hg/lib/ensFace.c src/hg/lib/ensFace.c index 6809869..c2c84b7 100644 --- src/hg/lib/ensFace.c +++ src/hg/lib/ensFace.c @@ -63,48 +63,48 @@ if ((p = rindex(res, ' ')) != NULL) *p = '_'; return res; } static char *ucscToEnsembl(char *database, char *chrom) /* if table UCSC_TO_ENSEMBL exists in the given database, return the Ensembl name for this chrom */ { static char ensemblName[256]; struct sqlConnection *conn = hAllocConn(database); ensemblName[0] = 0; if (sqlTableExists(conn, UCSC_TO_ENSEMBL)) { char query[256]; - safef(query, ArraySize(query), "select ensembl from %s where ucsc='%s'", + sqlSafef(query, ArraySize(query), "select ensembl from %s where ucsc='%s'", UCSC_TO_ENSEMBL, chrom); (void) sqlQuickQuery(conn,query,ensemblName,ArraySize(ensemblName)); } return ensemblName; } static int liftToEnsembl(char *database, char *chrom) /* if table ENSEMBL_LIFT exists in the given database, return the offset for this chrom, else return zero */ { int offset = 0; struct sqlConnection *conn = hAllocConn(database); if (sqlTableExists(conn, ENSEMBL_LIFT)) { char query[256]; - safef(query, ArraySize(query), "select offset from %s where chrom='%s'", + sqlSafef(query, ArraySize(query), "select offset from %s where chrom='%s'", ENSEMBL_LIFT, chrom); offset = sqlQuickNum(conn,query); // returns 0 for failed query } return offset; } struct dyString *ensContigViewUrl( char *database, char *ensOrg, char *chrom, int chromSize, int winStart, int winEnd, char *archive) /* Return a URL that will take you to ensembl's contig view. */ /* Not using chromSize. archive is possibly a date reference */ { struct dyString *dy = dyStringNew(0); char *chrName; char *ensemblName = ucscToEnsembl(database, chrom); @@ -142,28 +142,28 @@ return dy; } void ensGeneTrackVersion(char *database, char *ensVersionString, char *ensDateReference, int stringSize) /* check for trackVersion table and find Ensembl version */ { /* see if hgFixed.trackVersion exists */ boolean trackVersionExists = (sqlDatabaseExists("hgFixed") && hTableExists("hgFixed", "trackVersion")); ensVersionString[0] = 0; ensDateReference[0] = 0; if (trackVersionExists) { struct sqlConnection *conn = hAllocConn("hgFixed"); char query[256]; - safef(query, sizeof(query), "select version,dateReference from hgFixed.trackVersion where db = '%s' and name = 'ensGene' order by updateTime DESC limit 1", database); + sqlSafef(query, sizeof(query), "select version,dateReference from hgFixed.trackVersion where db = '%s' and name = 'ensGene' order by updateTime DESC limit 1", database); struct sqlResult *sr = sqlGetResult(conn, query); char **row; while ((row = sqlNextRow(sr)) != NULL) { safef(ensVersionString, stringSize, "Ensembl %s", row[0]); safef(ensDateReference, stringSize, "%s", row[1]); } sqlFreeResult(&sr); hFreeConn(&conn); } }