src/hg/lib/hgFindSpecCustom.c 080a160c7b9595d516c9c70e83689a09b60839d0

080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/lib/hgFindSpecCustom.c src/hg/lib/hgFindSpecCustom.c
index adb803e..1ba1091 100644
--- src/hg/lib/hgFindSpecCustom.c
+++ src/hg/lib/hgFindSpecCustom.c
@@ -450,33 +450,33 @@
 else if (diff > 0)
     return 1;
 else
     return 0;
 }
 
 static struct hgFindSpec *loadFindSpecsTbl(char *db, char *tblSpec, char *where)
 /* Load find specs for the given where and a given tblSpec. where can be
  * NULL. */
 {
 struct hgFindSpec *hfsList = NULL;
 char *tbl;
 struct sqlConnection *conn = hAllocConnProfileTbl(db, tblSpec, &tbl);
 char query[512];
 if (where != NULL)
-    safef(query, sizeof(query), "select * from %s where %s", tbl, where);
+    sqlSafef(query, sizeof(query), "select * from %s where %s", tbl, where);
 else
-    safef(query, sizeof(query), "select * from %s", tbl);
+    sqlSafef(query, sizeof(query), "select * from %s", tbl);
 struct sqlResult *sr = sqlGetResult(conn, query);
 char **row = NULL;
 while ((row = sqlNextRow(sr)) != NULL)
     {
     struct hgFindSpec *hfs = hgFindSpecLoad(row);
     if (!haveSpecAlready(hfsList, hfs))
         slAddHead(&hfsList, hfs);
     }
 sqlFreeResult(&sr);
 hFreeConn(&conn);
 return(hfsList);
 }
 
 static struct hgFindSpec *loadFindSpecs(char *db, char *where)
 /* Load find specs for the given where. */
@@ -485,31 +485,31 @@
 struct slName *hgFindSpecList = hgFindSpecNameList(db);
 struct slName *oneSpec;
 
 for (oneSpec = hgFindSpecList; oneSpec != NULL; oneSpec = oneSpec->next)
     hfsList = slCat(hfsList, loadFindSpecsTbl(db, oneSpec->name, where));
 slSort(&hfsList, hgFindSpecPriCmp);
 return(hfsList);
 }
 
 
 struct hgFindSpec *hgFindSpecGetSpecs(char *db, boolean shortCircuit)
 /* Load all short-circuit (or not) search specs from the current db, sorted by 
  * searchPriority. */
 {
 char where[64];
-safef(where, sizeof(where), "shortCircuit = %d", shortCircuit);
+sqlSafefFrag(where, sizeof(where), "shortCircuit = %d", shortCircuit);
 struct hgFindSpec *hfsList = loadFindSpecs(db, where);
 slSort(&hfsList, hgFindSpecPriCmp);
 return(hfsList);
 }
 
 void hgFindSpecGetAllSpecs(char *db, 
                            struct hgFindSpec **retShortCircuitList,
 			   struct hgFindSpec **retAdditiveList)
 /* Load all search specs from the current db, separated according to 
  * shortCircuit and sorted by searchPriority. */
 {
 struct hgFindSpec *hfs, *hfsList = loadFindSpecs(db, NULL);
 struct hgFindSpec *shortList = NULL, *longList = NULL;
 
 while ((hfs = slPopHead(&hfsList)) != NULL)