src/hg/lib/genePredReader.c 080a160c7b9595d516c9c70e83689a09b60839d0

080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/lib/genePredReader.c src/hg/lib/genePredReader.c
index 917e394..a2a8627 100644
--- src/hg/lib/genePredReader.c
+++ src/hg/lib/genePredReader.c
@@ -142,33 +142,33 @@
 }
 
 struct genePredReader *genePredReaderQuery(struct sqlConnection* conn,
                                            char* table, char* where)
 /* Create a new genePredReader to read from the given table in the database.
  * If where is not null, it is added as a where clause.  It will determine if
  * extended genePred columns are in the table.
  */
 {
 char query[1024];
 struct genePredReader* gpr;
 AllocVar(gpr);
 gpr->table = cloneString(table);
 
 if (where != NULL)
-    safef(query, sizeof(query), "select * from %s where %s", table, where);
+    sqlSafef(query, sizeof(query), "select * from %s where %-s", table, where);
 else
-    safef(query, sizeof(query), "select * from %s", table);
+    sqlSafef(query, sizeof(query), "select * from %s", table);
 gpr->sr = sqlGetResult(conn, query);
 buildResultFieldMap(gpr);
 
 return gpr;
 }
 
 struct genePredReader *genePredReaderRangeQuery(struct sqlConnection* conn,
                                                 char* table, char* chrom,
                                                 int start, int end, 
                                                 char* extraWhere)
 /* Create a new genePredReader to read a chrom range in a database table.  If
  * extraWhere is not null, it is added as an additional where condition. It
  * will determine if extended genePred columns are in the table. */
 {
 struct genePredReader* gpr;