080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/lib/hubConnect.c src/hg/lib/hubConnect.c
index f601e5f..ea3aa65 100644
--- src/hg/lib/hubConnect.c
+++ src/hg/lib/hubConnect.c
@@ -158,31 +158,31 @@
 /* check to see if enough time has passed to re-check a hub that
  * has an error status.  Default time to wait is 30 minutes, but this
  * is configurable with the hub.timeToCheck conf variable */
 {
 char *checkTimeString = cfgOptionDefault(hgHubConnectTimeToCheck, "1800");
 time_t checkTime = sqlUnsigned(checkTimeString);
 return dateIsOlderBy(notOkStatus, "%F %T", checkTime);
 }
 
 /* Given a hub ID return associated status. Returns NULL if no such hub.  If hub
  * exists but has problems will return with errorMessage field filled in. */
 struct hubConnectStatus *hubConnectStatusForId(struct sqlConnection *conn, int id)
 {
 struct hubConnectStatus *hub = NULL;
 char query[1024];
-safef(query, sizeof(query), 
+sqlSafef(query, sizeof(query), 
     "select hubUrl,status, errorMessage,lastNotOkTime from %s where id=%d", getHubStatusTableName(), id);
 struct sqlResult *sr = sqlGetResult(conn, query);
 char **row = sqlNextRow(sr);
 if (row != NULL)
     {
     AllocVar(hub);
     hub->id = id;
     hub->hubUrl = cloneString(row[0]);
     hub->status = sqlUnsigned(row[1]);
     hub->errorMessage = cloneString(row[2]);
 
     if (isEmpty(row[2]) || hubTimeToCheck(hub, row[3]))
 	{
 	char *errorMessage = NULL;
 	hub->trackHub = fetchHub( hub, &errorMessage);
@@ -416,50 +416,50 @@
     dyStringPrintf(dy,"%s,", hel->name);
     }
 *pCount = dbCount;
 
 return dy->string;
 }
 
 static void insertHubUrlInStatus(char *url)
 /* add a url to the hubStatus table */
 {
 struct sqlConnection *conn = hConnectCentral();
 char query[512];
 char *statusTable = getHubStatusTableName();
 
 if (sqlFieldIndex(conn, statusTable, "firstAdded") >= 0)
-    safef(query, sizeof(query), "insert into %s (hubUrl,firstAdded) values (\"%s\",now())",
+    sqlSafef(query, sizeof(query), "insert into %s (hubUrl,firstAdded) values (\"%s\",now())",
 	statusTable, url);
 else
-    safef(query, sizeof(query), "insert into %s (hubUrl) values (\"%s\")",
+    sqlSafef(query, sizeof(query), "insert into %s (hubUrl) values (\"%s\")",
 	statusTable, url);
 sqlUpdate(conn, query);
 hDisconnectCentral(&conn);
 }
 
 static unsigned getHubId(char *url, char **errorMessage)
 /* find id for url in hubStatus table */
 {
 struct sqlConnection *conn = hConnectCentral();
 char query[512];
 char **row;
 boolean foundOne = FALSE;
 int id = 0;
 
 char *statusTableName = getHubStatusTableName();
-safef(query, sizeof(query), "select id,errorMessage from %s where hubUrl = \"%s\"", statusTableName, url);
+sqlSafef(query, sizeof(query), "select id,errorMessage from %s where hubUrl = \"%s\"", statusTableName, url);
 
 struct sqlResult *sr = sqlGetResult(conn, query);
 
 while ((row = sqlNextRow(sr)) != NULL)
     {
     if (foundOne)
 	errAbort("more than one line in %s with hubUrl %s\n", 
 	    statusTableName, url);
 
     foundOne = TRUE;
 
     char *thisId = row[0], *thisError = row[1];
 
     if (!isEmpty(thisError))
 	*errorMessage = cloneString(thisError);
@@ -545,59 +545,59 @@
 char *url = cartOptionalString(cart, hgHubDataText);
 
 if (url != NULL)
     {
     trimSpaces(url);
     getAndSetHubStatus( cart, url, TRUE);
     }
 }
 
 unsigned hubResetError(char *url)
 /* clear the error for this url in the hubStatus table,return the id */
 {
 struct sqlConnection *conn = hConnectCentral();
 char query[512];
 
-safef(query, sizeof(query), "select id from %s where hubUrl = \"%s\"", getHubStatusTableName(), url);
+sqlSafef(query, sizeof(query), "select id from %s where hubUrl = \"%s\"", getHubStatusTableName(), url);
 unsigned id = sqlQuickNum(conn, query);
 
 if (id == 0)
     errAbort("could not find url %s in status table (%s)\n", 
 	url, getHubStatusTableName());
 
-safef(query, sizeof(query), "update %s set errorMessage=\"\" where hubUrl = \"%s\"", getHubStatusTableName(), url);
+sqlSafef(query, sizeof(query), "update %s set errorMessage=\"\" where hubUrl = \"%s\"", getHubStatusTableName(), url);
 
 sqlUpdate(conn, query);
 hDisconnectCentral(&conn);
 
 return id;
 }
 
 unsigned hubClearStatus(char *url)
 /* drop the information about this url from the hubStatus table */
 {
 struct sqlConnection *conn = hConnectCentral();
 char query[512];
 
-safef(query, sizeof(query), "select id from %s where hubUrl = \"%s\"", getHubStatusTableName(), url);
+sqlSafef(query, sizeof(query), "select id from %s where hubUrl = \"%s\"", getHubStatusTableName(), url);
 unsigned id = sqlQuickNum(conn, query);
 
 if (id == 0)
     errAbort("could not find url %s in status table (%s)\n", 
 	url, getHubStatusTableName());
 
-safef(query, sizeof(query), "delete from %s where hubUrl = \"%s\"", getHubStatusTableName(), url);
+sqlSafef(query, sizeof(query), "delete from %s where hubUrl = \"%s\"", getHubStatusTableName(), url);
 
 sqlUpdate(conn, query);
 hDisconnectCentral(&conn);
 
 return id;
 }
 
 void hubDisconnect(struct cart *cart, char *url)
 /* drop the information about this url from the hubStatus table, and 
  * the cart variable the references this hub */
 {
 /* clear the hubStatus table */
 unsigned id = hubClearStatus(url);
 
 /* remove the cart variable */
@@ -610,41 +610,41 @@
 /* set the error message in the hubStatus table */
 {
 struct sqlConnection *conn = hConnectCentral();
 char query[4096];
 struct trackHub *tHub = hub->trackHub;
 
 if (errorMessage != NULL)
     {
     // make sure there is no newline at the end.  This should be unneccesary
     // but there are many, many places where newlines are added in calls
     // to warn and errAbort
     char buffer[4096];
     safecpy(buffer, sizeof buffer, errorMessage);
     while (lastChar(buffer) == '\n')
 	buffer[strlen(buffer) - 1] = '\0';
-    safef(query, sizeof(query),
+    sqlSafef(query, sizeof(query),
 	"update %s set errorMessage=\"%s\", lastNotOkTime=now() where id=%d",
 	getHubStatusTableName(), buffer, hub->id);
     sqlUpdate(conn, query);
     }
 else if (tHub != NULL)
     {
     int dbCount = 0;
     char *dbList = getDbList(tHub, &dbCount);
-
-    safef(query, sizeof(query),
+    // users may include quotes in their hub names requiring escaping
+    sqlSafef(query, sizeof(query),
 	"update %s set shortLabel=\"%s\",longLabel=\"%s\",dbCount=\"%d\",dbList=\"%s\",errorMessage=\"\",lastOkTime=now() where id=%d",
 	getHubStatusTableName(), tHub->shortLabel, tHub->longLabel, 
 	dbCount, dbList,
 	hub->id);
     sqlUpdate(conn, query);
     }
 hDisconnectCentral(&conn);
 }
 
 struct trackDb *hubAddTracks(struct hubConnectStatus *hub, char *database)
 /* Load up stuff from data hub and append to list. The hubUrl points to
  * a trackDb.ra format file.  */
 {
 /* Load trackDb.ra file and make it into proper trackDb tree */
 struct trackDb *tdbList = NULL;