080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/lib/pgPolyphenPred.c src/hg/lib/pgPolyphenPred.c
index 1e61ce6..7d889b3 100644
--- src/hg/lib/pgPolyphenPred.c
+++ src/hg/lib/pgPolyphenPred.c
@@ -187,31 +187,31 @@
 if (sep == ',') fputc('"',f);
 fputc(lastSep,f);
 }
 
 /* -------------------------------- End autoSql Generated Code -------------------------------- */
 
 void printPgPolyphenPred (char *db, char *tableName, struct pgSnp *item)
 /* print the predictions for an hgc item click for a pgSnp track */
 {
 struct pgPolyphenPred *el;
 struct sqlResult *sr;
 char **row;
 char query[512];
 struct sqlConnection *conn = hAllocConn(db);
 
-safef(query, sizeof(query), "select * from %s where chrom = '%s' and chromStart = %d and chromEnd = %d",
+sqlSafef(query, sizeof(query), "select * from %s where chrom = '%s' and chromStart = %d and chromEnd = %d",
     tableName, item->chrom, item->chromStart, item->chromEnd);
 sr = sqlGetResult(conn, query);
 while ((row = sqlNextRow(sr)) != NULL)
     {
     el = pgPolyphenPredLoadWithNull(row);
     printf("<br><b>Polyphen prediction</b>: %s\n", el->prediction);
     printf("<ul>");
     if (el->basedOn != NULL && differentString(el->basedOn, ""))
         printf("<li>based on: %s</li>\n", el->basedOn);
     if (el->geneName != NULL && differentString(el->geneName, ""))
         printf("<li>Protein name: %s</li>\n", el->geneName);
     if (el->aaChange != NULL && differentString(el->aaChange, ""))
         printf("<li>Amino acid change: %s</li>\n", el->aaChange);
     printf("</ul>\n");
     }