src/hg/lib/liftOverChain.c 080a160c7b9595d516c9c70e83689a09b60839d0

080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/lib/liftOverChain.c src/hg/lib/liftOverChain.c
index 834d3f2..116f862 100644
--- src/hg/lib/liftOverChain.c
+++ src/hg/lib/liftOverChain.c
@@ -95,68 +95,39 @@
 while ((row = sqlNextRow(sr)) != NULL)
     {
     el = liftOverChainLoad(row);
     slAddHead(&list, el);
     }
 slReverse(&list);
 sqlFreeResult(&sr);
 return list;
 }
 
 void liftOverChainSaveToDb(struct sqlConnection *conn, struct liftOverChain *el, char *tableName, int updateSize)
 /* Save liftOverChain as a row to the table specified by tableName. 
  * As blob fields may be arbitrary size updateSize specifies the approx size
  * of a string that would contain the entire query. Arrays of native types are
  * converted to comma separated strings and loaded as such, User defined types are
- * inserted as NULL. Note that strings must be escaped to allow insertion into the database.
- * For example "autosql's features include" --> "autosql\'s features include" 
- * If worried about this use liftOverChainSaveToDbEscaped() */
+ * inserted as NULL. Strings are automatically escaped to allow insertion into the database. */
 {
 struct dyString *update = newDyString(updateSize);
-dyStringPrintf(update, "insert into %s values ( '%s','%s',%s,%g,%u,%u,'%s',%g,'%s')", 
+sqlDyStringPrintf(update, "insert into %s values ( '%s','%s',%s,%g,%u,%u,'%s',%g,'%s')", 
 	tableName,  el->fromDb,  el->toDb,  el->path,  el->minMatch,  el->minChainT,  el->minSizeQ,  el->multiple,  el->minBlocks,  el->fudgeThick);
 sqlUpdate(conn, update->string);
 freeDyString(&update);
 }
 
-void liftOverChainSaveToDbEscaped(struct sqlConnection *conn, struct liftOverChain *el, char *tableName, int updateSize)
-/* Save liftOverChain as a row to the table specified by tableName. 
- * As blob fields may be arbitrary size updateSize specifies the approx size.
- * of a string that would contain the entire query. Automatically 
- * escapes all simple strings (not arrays of string) but may be slower than liftOverChainSaveToDb().
- * For example automatically copies and converts: 
- * "autosql's features include" --> "autosql\'s features include" 
- * before inserting into database. */ 
-{
-struct dyString *update = newDyString(updateSize);
-char  *fromDb, *toDb, *path, *multiple, *fudgeThick;
-fromDb = sqlEscapeString(el->fromDb);
-toDb = sqlEscapeString(el->toDb);
-path = sqlEscapeString(el->path);
-multiple = sqlEscapeString(el->multiple);
-fudgeThick = sqlEscapeString(el->fudgeThick);
-
-dyStringPrintf(update, "insert into %s values ( '%s','%s','%s',%g,%u,%u,'%s',%g,'%s')", 
-	tableName,  fromDb,  toDb,  path, el->minMatch , el->minChainT , el->minSizeQ ,  multiple, el->minBlocks ,  fudgeThick);
-sqlUpdate(conn, update->string);
-freeDyString(&update);
-freez(&fromDb);
-freez(&toDb);
-freez(&path);
-freez(&multiple);
-freez(&fudgeThick);
-}
 
 struct liftOverChain *liftOverChainCommaIn(char **pS, struct liftOverChain *ret)
 /* Create a liftOverChain out of a comma separated string. 
  * This will fill in ret if non-null, otherwise will
  * return a new liftOverChain */
 {
 char *s = *pS;
 
 if (ret == NULL)
     AllocVar(ret);
 ret->fromDb = sqlStringComma(&s);
 ret->toDb = sqlStringComma(&s);
 ret->path = sqlStringComma(&s);
 ret->minMatch = sqlFloatComma(&s);
 ret->minChainT = sqlUnsignedComma(&s);
@@ -222,31 +193,31 @@
 fprintf(f, "%g", el->minBlocks);
 fputc(sep,f);
 if (sep == ',') fputc('"',f);
 fprintf(f, "%s", el->fudgeThick);
 if (sep == ',') fputc('"',f);
 fputc(lastSep,f);
 }
 
 /* -------------------------------- End autoSql Generated Code -------------------------------- */
 
 boolean liftOverChainExists(struct sqlConnection *conn, char *tableName,
                                 char *fromDb, char *toDb)
 /* Return TRUE if row where fromDb and toDb match */
 {
 char query[256];
-safef(query, sizeof(query), 
+sqlSafef(query, sizeof(query), 
         "select count(*) from %s where fromDb = '%s' and toDb = '%s'",
 	        tableName, fromDb, toDb);
 return sqlQuickNum(conn, query) > 0;
 }
 
 void liftOverChainRemove(struct sqlConnection *conn, char *tableName,
                                 char *fromDb, char *toDb)
 /* Remove rows where fromDb and toDb match */
 {
 char query[256];
-safef(query, sizeof(query), 
+sqlSafef(query, sizeof(query), 
         "delete from %s where fromDb = '%s' and toDb = '%s'",
 	        tableName, fromDb, toDb);
 sqlUpdate(conn, query);
 }