src/hg/lib/pgSnp.c 080a160c7b9595d516c9c70e83689a09b60839d0

080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/lib/pgSnp.c src/hg/lib/pgSnp.c
index 0ebfeaf..7e610d4 100644
--- src/hg/lib/pgSnp.c
+++ src/hg/lib/pgSnp.c
@@ -96,66 +96,39 @@
 while ((row = sqlNextRow(sr)) != NULL)
     {
     el = pgSnpLoad(row);
     slAddHead(&list, el);
     }
 slReverse(&list);
 sqlFreeResult(&sr);
 return list;
 }
 
 void pgSnpSaveToDb(struct sqlConnection *conn, struct pgSnp *el, char *tableName, int updateSize)
 /* Save pgSnp as a row to the table specified by tableName.
  * As blob fields may be arbitrary size updateSize specifies the approx size
  * of a string that would contain the entire query. Arrays of native types are
  * converted to comma separated strings and loaded as such, User defined types are
- * inserted as NULL. Note that strings must be escaped to allow insertion into the database.
- * For example "autosql's features include" --> "autosql\'s features include"
- * If worried about this use pgSnpSaveToDbEscaped() */
+ * inserted as NULL. Strings are automatically escaped to allow insertion into the database. */
 {
 struct dyString *update = newDyString(updateSize);
-dyStringPrintf(update, "insert into %s values ( %u,'%s',%u,%u,'%s',%d,'%s','%s')",
+sqlDyStringPrintf(update, "insert into %s values ( %u,'%s',%u,%u,'%s',%d,'%s','%s')",
 	tableName,  el->bin,  el->chrom,  el->chromStart,  el->chromEnd,  el->name,  el->alleleCount,  el->alleleFreq,  el->alleleScores);
 sqlUpdate(conn, update->string);
 freeDyString(&update);
 }
 
-void pgSnpSaveToDbEscaped(struct sqlConnection *conn, struct pgSnp *el, char *tableName, int updateSize)
-/* Save pgSnp as a row to the table specified by tableName.
- * As blob fields may be arbitrary size updateSize specifies the approx size.
- * of a string that would contain the entire query. Automatically
- * escapes all simple strings (not arrays of string) but may be slower than pgSnpSaveToDb().
- * For example automatically copies and converts:
- * "autosql's features include" --> "autosql\'s features include"
- * before inserting into database. */
-{
-struct dyString *update = newDyString(updateSize);
-char  *chrom, *name, *alleleFreq, *alleleScores;
-chrom = sqlEscapeString(el->chrom);
-name = sqlEscapeString(el->name);
-alleleFreq = sqlEscapeString(el->alleleFreq);
-alleleScores = sqlEscapeString(el->alleleScores);
-
-dyStringPrintf(update, "insert into %s values ( %u,'%s',%u,%u,'%s',%d,'%s','%s')",
-	tableName,  el->bin,  chrom,  el->chromStart,  el->chromEnd,  name,  el->alleleCount,  alleleFreq,  alleleScores);
-sqlUpdate(conn, update->string);
-freeDyString(&update);
-freez(&chrom);
-freez(&name);
-freez(&alleleFreq);
-freez(&alleleScores);
-}
 
 struct pgSnp *pgSnpCommaIn(char **pS, struct pgSnp *ret)
 /* Create a pgSnp out of a comma separated string.
  * This will fill in ret if non-null, otherwise will
  * return a new pgSnp */
 {
 char *s = *pS;
 
 if (ret == NULL)
     AllocVar(ret);
 ret->bin = sqlUnsignedComma(&s);
 ret->chrom = sqlStringComma(&s);
 ret->chromStart = sqlUnsignedComma(&s);
 ret->chromEnd = sqlUnsignedComma(&s);
 ret->name = sqlStringComma(&s);
@@ -389,31 +362,31 @@
 void aaProperties (char *aa1, char *aa2);
 
 void printSeqCodDisplay(char *db, struct pgSnp *item, char *genePredTable)
 /* print the display of sequence changes for a coding variant */
 {
 struct bed *list = NULL, *el, *th = NULL;
 struct sqlResult *sr;
 char **row;
 char query[512];
 struct sqlConnection *conn = hAllocConn(db);
 if (!sqlTableExists(conn, genePredTable))
     {
     hFreeConn(&conn);
     return;
     }
-safef(query, sizeof(query), "select chrom, txStart, txEnd, name, 0, strand, cdsStart, cdsEnd, "
+sqlSafef(query, sizeof(query), "select chrom, txStart, txEnd, name, 0, strand, cdsStart, cdsEnd, "
       "0, exonCount, exonEnds, exonStarts  from %s "
       "where chrom = '%s' and cdsStart <= %d and cdsEnd >= %d",
       genePredTable, item->chrom, item->chromStart, item->chromEnd);
 
 sr = sqlGetResult(conn, query);
 while ((row = sqlNextRow(sr)) != NULL)
     {
     el = bedLoad12(row);
     /* adjust exonStarts and exonEnds to actual bed values */
     int i;
     for (i=0;i<el->blockCount;i++)
         {
         el->blockSizes[i] = el->blockSizes[i] - el->chromStarts[i];
         el->chromStarts[i] = el->chromStarts[i] - el->chromStart;
         }
@@ -620,31 +593,31 @@
 /* print the links to phenotype and other databases for pgSnps */
 {
 struct pgPhenoAssoc *el;
 struct sqlResult *sr;
 char **row;
 char query[512];
 struct sqlConnection *conn = hAllocConn(db);
 char *dbList[8];
 int tot = 0, i = 0, first = 1;
 char *tabs = trackDbSetting(tdb, "pgDbLink");
 if (tabs == NULL)
     return;
 tot = chopByWhite(tabs, dbList, ArraySize(dbList));
 for(i=0;i<tot;i++)
     {
-    safef(query, sizeof(query), "select chrom, chromStart, chromEnd, name, srcUrl from %s where chrom = '%s' and chromStart = %d and chromEnd = %d",
+    sqlSafef(query, sizeof(query), "select chrom, chromStart, chromEnd, name, srcUrl from %s where chrom = '%s' and chromStart = %d and chromEnd = %d",
     dbList[i], item->chrom, item->chromStart, item->chromEnd);
 
     sr = sqlGetResult(conn, query);
     while ((row = sqlNextRow(sr)) != NULL)
         {
         if (first == 1)
              {
              printf("<br><b>Links to phenotype databases</b><br>\n");
              first = 0;
              }
         el = pgPhenoAssocLoad(row);
         printf("<a href=\"%s\">%s</a></br>\n", el->srcUrl, el->name);
         }
     }
 }