080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/lib/trackDbCustom.c src/hg/lib/trackDbCustom.c
index ac5feb4..f8bb9ed 100644
--- src/hg/lib/trackDbCustom.c
+++ src/hg/lib/trackDbCustom.c
@@ -1266,31 +1266,31 @@
 
 void tdbExtrasMembershipSet(struct trackDb *tdb,struct _membership *membership)
 // Sets the subtrack membership for later retrieval.
 {
 tdbExtrasGet(tdb)->membership = membership;
 }
 
 char *tdbBigFileName(struct sqlConnection *conn, struct trackDb *tdb)
 // Return file name associated with bigWig.  Do a freeMem on returned string when done.
 {
 char *fileName = trackDbSetting(tdb, "bigDataUrl"); // always takes precedence
 if (fileName != NULL)
     return cloneString(fileName);
 
 char query[256];
-safef(query, sizeof(query), "select fileName from %s", tdb->table);
+sqlSafef(query, sizeof(query), "select fileName from %s", tdb->table);
 return sqlQuickString(conn, query);
 }
 
 static void rTdbTreeAllowPack(struct trackDb *tdb)
 // Force this tdb and all children to allow pack/squish
 {
 tdb->canPack = TRUE;
 struct trackDb *childTdb = tdb->subtracks;
 for ( ;childTdb!=NULL;childTdb=childTdb->next)
     rTdbTreeAllowPack(childTdb);
 }
 
 boolean rTdbTreeCanPack(struct trackDb *tdb)
 // Trees can pack as all or none, since they can share vis.
 {