src/hg/lib/genePred.c 080a160c7b9595d516c9c70e83689a09b60839d0

080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/lib/genePred.c src/hg/lib/genePred.c
index 89224f7..7735fca 100644
--- src/hg/lib/genePred.c
+++ src/hg/lib/genePred.c
@@ -4,31 +4,31 @@
 
 #include "common.h"
 #include "gff.h"
 #include "jksql.h"
 #include "psl.h"
 #include "linefile.h"
 #include "genePred.h"
 #include "genbank.h"
 #include "rangeTree.h"
 #include "hdb.h"
 
 
 /* SQL to create a genePred table */
 static char *createSql = 
 "CREATE TABLE %s ("
-"   %s"                                 /* bin column goes here */
+"   %-s"                                 /* bin column goes here */
 "   name varchar(255) not null,"	/* mrna accession of gene */
 "   chrom varchar(255) not null,"	/* Chromosome name */
 "   strand char(1) not null,"		/* + or - for strand */
 "   txStart int unsigned not null,"	/* Transcription start position */
 "   txEnd int unsigned not null,"	/* Transcription end position */
 "   cdsStart int unsigned not null,"	/* Coding region start */
 "   cdsEnd int unsigned not null,"	/* Coding region end */
 "   exonCount int unsigned not null,"	/* Number of exons */
 "   exonStarts longblob not null,"	/* Exon start positions */
 "   exonEnds longblob not null,"	/* Exon end positions */
 "   INDEX(name)";
 
 static char *binFieldSql = 
 "    bin smallint unsigned not null,"
 "    INDEX(chrom,bin),";
@@ -1275,31 +1275,31 @@
 cds.end = cdsEnd;
 return genePredFromPsl3(psl, &cds, 0, genePredPslDefaults, insertMergeSize, insertMergeSize);
 }
 
 char* genePredGetCreateSql(char* table, unsigned optFields, unsigned options,
                            int chromIndexLen)
 /* Get SQL required to create a genePred table. optFields is a bit set
  * consisting of the genePredFields values. Options are a bit set of
  * genePredCreateOpts. Returned string should be freed.  This will create all
  * optional fields that preceed the highest optFields column.  chromIndexLen
  * is now ignored.. */
 {
 /* the >= is used so that we create preceeding fields. */
 char sqlCmd[1024];
 
-safef(sqlCmd, sizeof(sqlCmd), createSql, table,
+sqlSafef(sqlCmd, sizeof(sqlCmd), createSql, table,
       ((options & genePredWithBin) ? binFieldSql : noBinIndexSql));
 if (optFields >= genePredScoreFld)
     safecat(sqlCmd, sizeof(sqlCmd), scoreFieldSql);
 if (optFields >= genePredName2Fld)
     safecat(sqlCmd, sizeof(sqlCmd), name2FieldSql);
 if (optFields >= genePredCdsStatFld)
     safecat(sqlCmd, sizeof(sqlCmd), cdsStatFieldSql);
 if (optFields >= genePredExonFramesFld)
     safecat(sqlCmd, sizeof(sqlCmd), exonFramesFieldSql);
 safecat(sqlCmd, sizeof(sqlCmd), ")");
 return cloneString(sqlCmd);
 }
 
 // FIXME: this really doesn't belong in this module
 struct genePred *getOverlappingGene(char *db, struct genePred **list, char *table, char *chrom, int cStart, int cEnd, char *name, int *retOverlap)
@@ -1312,31 +1312,31 @@
 struct sqlConnection *conn;
 struct sqlResult *sr;
 char **row;
 struct genePred *el = NULL, *bestMatch = NULL, *gp = NULL;
 int overlap = 0 , bestOverlap = 0, i;
 struct psl *psl;
 int *eFrames;
 
 
 if (*list == NULL)
     {
     printf("Loading Predictions from %s\n",table);
     AllocVar(*list);
     conn = hAllocConn(db);
     AllocVar(gene);
-    safef(query, sizeof(query), "select * from %s", table);
+    sqlSafef(query, sizeof(query), "select * from %s", table);
     sr = sqlGetResult(conn, query);
     while ((row = sqlNextRow(sr)) != NULL)
         {
         if (!sameString(table,"all_mrna"))
             {
             el = genePredLoad(row);
             }
         else
             {
             psl = pslLoad(row);
             el = genePredFromPsl2(psl, 0, NULL, genePredStdInsertMergeSize);
             }
         slAddHead(list, el);
         }
     slReverse(list);