080a160c7b9595d516c9c70e83689a09b60839d0 galt Mon Jun 3 12:16:53 2013 -0700 fix SQL Injection diff --git src/hg/lib/loweutils.c src/hg/lib/loweutils.c index cdb42fc..529d238 100644 --- src/hg/lib/loweutils.c +++ src/hg/lib/loweutils.c @@ -48,50 +48,50 @@ char query[512]; struct sqlResult *sr = NULL; char **row; struct minGeneInfo* ginfo = NULL; char gbProtCodeXra[50]; if (strcmp(database, dbName) == 0) strcpy(gbProtCodeXra, "gbProtCodeXra"); else { strcpy(gbProtCodeXra, dbName); strcat(gbProtCodeXra, ".gbProtCodeXra"); } if (hTableExists(dbName, "gbProtCodeXra")) { - sprintf(query, "select * from %s where name = '%s'", gbProtCodeXra, geneName); + sqlSafef(query, sizeof query, "select * from %s where name = '%s'", gbProtCodeXra, geneName); sr = sqlGetResult(conn, query); if ((row = sqlNextRow(sr)) != NULL) ginfo = minGeneInfoLoad(row); } if (sr != NULL) sqlFreeResult(&sr); return ginfo; } void getGenomeClade(struct sqlConnection *conn, char *dbName, char *genome, char *clade) { char query[512]; struct sqlResult *srDb; char **rowDb; struct sqlConnection *connCentral = hConnectCentral(); - sprintf(query, "select count(*) from genomeClade a, dbDb b, clade c where a.genome = b.genome and a.clade = c.name and b.name = '%s'", + sqlSafef(query, sizeof query, "select count(*) from genomeClade a, dbDb b, clade c where a.genome = b.genome and a.clade = c.name and b.name = '%s'", dbName); srDb = sqlGetResult(connCentral, query); if ((rowDb = sqlNextRow(srDb)) != NULL) { sqlFreeResult(&srDb); - sprintf(query, "select a.genome, c.label from genomeClade a, dbDb b, clade c where a.genome = b.genome and a.clade = c.name and b.name = '%s'", + sqlSafef(query, sizeof query, "select a.genome, c.label from genomeClade a, dbDb b, clade c where a.genome = b.genome and a.clade = c.name and b.name = '%s'", dbName); srDb = sqlGetResult(connCentral, query); if ((rowDb = sqlNextRow(srDb)) != NULL) { strcpy(genome, rowDb[0]); strcpy(clade, rowDb[1]); } } sqlFreeResult(&srDb); hDisconnectCentral(&connCentral); }