080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/lib/ensFace.c src/hg/lib/ensFace.c
index 6809869..c2c84b7 100644
--- src/hg/lib/ensFace.c
+++ src/hg/lib/ensFace.c
@@ -63,48 +63,48 @@
     if ((p = rindex(res, ' ')) != NULL)
         *p = '_';
     return res;
 }
 
 static char *ucscToEnsembl(char *database, char *chrom)
 /* if table UCSC_TO_ENSEMBL exists in the given database, return the
    Ensembl name for this chrom */
 {
 static char ensemblName[256];
 struct sqlConnection *conn = hAllocConn(database);
 ensemblName[0] = 0;
 if (sqlTableExists(conn, UCSC_TO_ENSEMBL))
     {
     char query[256];
-    safef(query, ArraySize(query), "select ensembl from %s where ucsc='%s'",
+    sqlSafef(query, ArraySize(query), "select ensembl from %s where ucsc='%s'",
 	UCSC_TO_ENSEMBL, chrom);
     (void) sqlQuickQuery(conn,query,ensemblName,ArraySize(ensemblName));
     }
 return ensemblName;
 }
 
 static int liftToEnsembl(char *database, char *chrom)
 /* if table ENSEMBL_LIFT exists in the given database, return the
    offset for this chrom, else return zero */
 {
 int offset = 0;
 struct sqlConnection *conn = hAllocConn(database);
 
 if (sqlTableExists(conn, ENSEMBL_LIFT))
     {
     char query[256];
-    safef(query, ArraySize(query), "select offset from %s where chrom='%s'",
+    sqlSafef(query, ArraySize(query), "select offset from %s where chrom='%s'",
 	ENSEMBL_LIFT, chrom);
     offset = sqlQuickNum(conn,query); // returns 0 for failed query
     }
 return offset;
 }
 
 struct dyString *ensContigViewUrl(
 char *database, char *ensOrg, char *chrom, int chromSize,
                             int winStart, int winEnd, char *archive)
 /* Return a URL that will take you to ensembl's contig view. */
 /* Not using chromSize.  archive is possibly a date reference */
 {
 struct dyString *dy = dyStringNew(0);
 char *chrName;
 char *ensemblName = ucscToEnsembl(database, chrom);
@@ -142,28 +142,28 @@
 return dy;
 }
 
 void ensGeneTrackVersion(char *database, char *ensVersionString,
     char *ensDateReference, int stringSize)
 /* check for trackVersion table and find Ensembl version */
 {
 /* see if hgFixed.trackVersion exists */
 boolean trackVersionExists = (sqlDatabaseExists("hgFixed") && hTableExists("hgFixed", "trackVersion"));
 ensVersionString[0] = 0;
 ensDateReference[0] = 0;
 if (trackVersionExists)
     {
     struct sqlConnection *conn = hAllocConn("hgFixed");
     char query[256];
-    safef(query, sizeof(query), "select version,dateReference from hgFixed.trackVersion where db = '%s' and name = 'ensGene' order by updateTime DESC limit 1", database);
+    sqlSafef(query, sizeof(query), "select version,dateReference from hgFixed.trackVersion where db = '%s' and name = 'ensGene' order by updateTime DESC limit 1", database);
     struct sqlResult *sr = sqlGetResult(conn, query);
     char **row;
 
     while ((row = sqlNextRow(sr)) != NULL)
 	{
 	safef(ensVersionString, stringSize, "Ensembl %s", row[0]);
 	safef(ensDateReference, stringSize, "%s", row[1]);
 	}
     sqlFreeResult(&sr);
     hFreeConn(&conn);
     }
 }