src/hg/lib/pslReader.c 080a160c7b9595d516c9c70e83689a09b60839d0

080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/lib/pslReader.c src/hg/lib/pslReader.c
index 15eabff..de50475 100644
--- src/hg/lib/pslReader.c
+++ src/hg/lib/pslReader.c
@@ -1,24 +1,96 @@
 /* pslReader - object to read psl objects from database tables or files.  */
 
 #include "common.h"
 #include "pslReader.h"
 #include "jksql.h"
 #include "hdb.h"
 #include "linefile.h"
 #include "psl.h"
 
+
+static char *createString =
+"CREATE TABLE %s (\n"
+    "%-s"                               /* Optional bin */
+    "matches int unsigned not null,     # Number of bases that match that aren't repeats\n"
+    "misMatches int unsigned not null,  # Number of bases that don't match\n"
+    "repMatches int unsigned not null,  # Number of bases that match but are part of repeats\n"
+    "nCount int unsigned not null,      # Number of 'N' bases\n"
+    "qNumInsert int unsigned not null,  # Number of inserts in query\n"
+    "qBaseInsert int unsigned not null, # Number of bases inserted in query\n"
+    "tNumInsert int unsigned not null,  # Number of inserts in target\n"
+    "tBaseInsert int unsigned not null, # Number of bases inserted in target\n"
+    "strand char(2) not null,   # + or - for strand.  First character is query, second is target.\n"
+    "qName varchar(255) not null,       # Query sequence name\n"
+    "qSize int unsigned not null,       # Query sequence size\n"
+    "qStart int unsigned not null,      # Alignment start position in query\n"
+    "qEnd int unsigned not null,        # Alignment end position in query\n"
+    "tName varchar(255) not null,       # Target sequence name\n"
+    "tSize int unsigned not null,       # Target sequence size\n"
+    "tStart int unsigned not null,      # Alignment start position in target\n"
+    "tEnd int unsigned not null,        # Alignment end position in target\n"
+    "blockCount int unsigned not null,  # Number of blocks in alignment\n"
+    "blockSizes longblob not null,      # Size of each block\n"
+    "qStarts longblob not null, # Start of each block in query.\n"
+    "tStarts longblob not null, # Start of each block in target.\n";
+
+static char *indexString =
+          "#Indices\n"
+    "%s"                            /* Optional bin. */
+    "INDEX(qName(12))\n"
+")\n";
+
+
+char* pslGetCreateSql(char* table, unsigned options, int tNameIdxLen)
+/* Get SQL required to create PSL table.  Options is a bit set consisting
+ * of PSL_TNAMEIX, PSL_WITH_BIN, and PSL_XA_FORMAT.  tNameIdxLen is
+ * the number of characters in target name to index.  If greater than
+ * zero, must specify PSL_TNAMEIX.  If zero and PSL_TNAMEIX is specified,
+ * to will default to 8. */
+{
+struct dyString *sqlCmd = newDyString(2048);
+char binIx[32];
+
+binIx[0] = '\0';
+
+/* check and default tNameIdxLen */
+if ((tNameIdxLen > 0) && !(options & PSL_TNAMEIX))
+    errAbort("pslGetCreateSql: must specify PSL_TNAMEIX with tNameIdxLen > 0");
+if ((options & PSL_TNAMEIX) && (tNameIdxLen == 0))
+    tNameIdxLen = 8;
+
+/* setup tName and bin index fields */
+if (options & PSL_WITH_BIN)
+    {
+    if (options & PSL_TNAMEIX)
+	safef(binIx, sizeof(binIx), "INDEX(tName(%d),bin),\n", tNameIdxLen);
+    else
+	safef(binIx, sizeof(binIx), "INDEX(bin),\n");
+    }
+else if (options & PSL_TNAMEIX)
+    safef(binIx, sizeof(binIx), "INDEX(tName(%d)),\n", tNameIdxLen);
+sqlDyStringPrintf(sqlCmd, createString, table, 
+    ((options & PSL_WITH_BIN) ? "bin smallint unsigned not null,\n" : ""));
+if (options & PSL_XA_FORMAT)
+    {
+    dyStringPrintf(sqlCmd, "qSeq longblob not null,\n");
+    dyStringPrintf(sqlCmd, "tSeq longblob not null,\n");
+    }
+dyStringPrintf(sqlCmd, indexString, binIx);
+return dyStringCannibalize(&sqlCmd);
+}
+
 struct pslReader
 /* Object to read psl objects from database tables or files. */
 {
     char *table;            /* name of table or file */
     boolean isPslx;         /* have qSequence, tSequence columns */
 
     /* for DB access */
     struct sqlResult *sr;   /* results if reading from a DB */
     int rowOffset;          /* offset if have a bin column */
 
     /* for file access */
     struct lineFile *lf;    /* lineFile when reading from a file */
     char* chrom;            /* chrom restriction for files */
 };
 
@@ -47,33 +119,33 @@
     }
 }
 
 struct pslReader *pslReaderQuery(struct sqlConnection* conn,
                                  char* table, char* where)
 /* Create a new pslReader to read from the given table in the database.
  * If where is not null, it is added as a where clause.  It will determine if
  * pslx columns are in the table. */
 {
 char query[1024];
 struct pslReader* pr;
 AllocVar(pr);
 pr->table = cloneString(table);
 
 if (where != NULL)
-    safef(query, sizeof(query), "select * from %s where %s", table, where);
+    sqlSafef(query, sizeof(query), "select * from %s where %s", table, where);
 else
-    safef(query, sizeof(query), "select * from %s", table);
+    sqlSafef(query, sizeof(query), "select * from %s", table);
 pr->sr = sqlGetResult(conn, query);
 getTableInfo(pr);
 
 return pr;
 }
 
 struct pslReader *pslReaderChromQuery(struct sqlConnection* conn,
                                       char* table, char* chrom,
                                       char* extraWhere)
 /* Create a new pslReader to read all rows for a chrom in a database table.
  * If extraWhere is not null, it is added as an additional where condition. It
  * will determine if pslx columns are in the table. */
 {
 struct pslReader* pr;
 int rowOffset;