080a160c7b9595d516c9c70e83689a09b60839d0 galt Mon Jun 3 12:16:53 2013 -0700 fix SQL Injection diff --git src/hg/lib/findKGAlias.c src/hg/lib/findKGAlias.c index 6e9c76c..5441c02 100644 --- src/hg/lib/findKGAlias.c +++ src/hg/lib/findKGAlias.c @@ -18,39 +18,39 @@ sqlFreeResult(&sr); } struct kgAlias *findKGAlias(char *dataBase, char *spec, char *mode) /* findKGAlias Looks up aliases for Known Genes, given a seach spec * mode "E" is for Exact match * mode "F" is for Fuzzy match * mode "P" is for Prefix match * it returns a link list of kgAlias nodes, which contain kgID and Alias */ { struct sqlConnection *conn = hAllocConn(dataBase); struct dyString *ds = newDyString(256); struct kgAlias *kaList = NULL; char fullTableName[256]; -snprintf(fullTableName, 250, "%s.%s", dataBase, "kgAlias"); +safef(fullTableName, 250, "%s.%s", dataBase, "kgAlias"); if (!sqlTableExists(conn, fullTableName)) { errAbort("Table %s.kgAlias does not exist.\n", dataBase); } if (sameString(mode, "E")) { - dyStringPrintf(ds, "select * from %s.kgAlias where alias = '%s'", dataBase, spec); + sqlDyStringPrintf(ds, "select * from %s.kgAlias where alias = '%s'", dataBase, spec); } else if (sameString(mode, "F")) { - dyStringPrintf(ds, "select * from %s.kgAlias where alias like '%%%s%%'", + sqlDyStringPrintf(ds, "select * from %s.kgAlias where alias like '%%%s%%'", dataBase, spec); } else if (sameString(mode, "P")) { - dyStringPrintf(ds, "select * from %s.kgAlias where alias like '%s%%'", + sqlDyStringPrintf(ds, "select * from %s.kgAlias where alias like '%s%%'", dataBase, spec); } addKgAlias(conn, ds, &kaList); hFreeConn(&conn); return(kaList); }