080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/lib/trackVersion.c src/hg/lib/trackVersion.c
index 03c525e..f0d072f 100644
--- src/hg/lib/trackVersion.c
+++ src/hg/lib/trackVersion.c
@@ -97,74 +97,39 @@
 while ((row = sqlNextRow(sr)) != NULL)
     {
     el = trackVersionLoad(row);
     slAddHead(&list, el);
     }
 slReverse(&list);
 sqlFreeResult(&sr);
 return list;
 }
 
 void trackVersionSaveToDb(struct sqlConnection *conn, struct trackVersion *el, char *tableName, int updateSize)
 /* Save trackVersion as a row to the table specified by tableName. 
  * As blob fields may be arbitrary size updateSize specifies the approx size
  * of a string that would contain the entire query. Arrays of native types are
  * converted to comma separated strings and loaded as such, User defined types are
- * inserted as NULL. Note that strings must be escaped to allow insertion into the database.
- * For example "autosql's features include" --> "autosql\'s features include" 
- * If worried about this use trackVersionSaveToDbEscaped() */
+ * inserted as NULL. Strings are automatically escaped to allow insertion into the database. */
 {
 struct dyString *update = newDyString(updateSize);
-dyStringPrintf(update, "insert into %s values ( %d,'%s','%s','%s','%s','%s','%s','%s','%s')", 
+sqlDyStringPrintf(update, "insert into %s values ( %d,'%s','%s','%s','%s','%s','%s','%s','%s')", 
 	tableName,  el->ix,  el->db,  el->name,  el->who,  el->version,  el->updateTime,  el->comment,  el->source,  el->dateReference);
 sqlUpdate(conn, update->string);
 freeDyString(&update);
 }
 
-void trackVersionSaveToDbEscaped(struct sqlConnection *conn, struct trackVersion *el, char *tableName, int updateSize)
-/* Save trackVersion as a row to the table specified by tableName. 
- * As blob fields may be arbitrary size updateSize specifies the approx size.
- * of a string that would contain the entire query. Automatically 
- * escapes all simple strings (not arrays of string) but may be slower than trackVersionSaveToDb().
- * For example automatically copies and converts: 
- * "autosql's features include" --> "autosql\'s features include" 
- * before inserting into database. */ 
-{
-struct dyString *update = newDyString(updateSize);
-char  *db, *name, *who, *version, *updateTime, *comment, *source, *dateReference;
-db = sqlEscapeString(el->db);
-name = sqlEscapeString(el->name);
-who = sqlEscapeString(el->who);
-version = sqlEscapeString(el->version);
-updateTime = sqlEscapeString(el->updateTime);
-comment = sqlEscapeString(el->comment);
-source = sqlEscapeString(el->source);
-dateReference = sqlEscapeString(el->dateReference);
-
-dyStringPrintf(update, "insert into %s values ( %d,'%s','%s','%s','%s','%s','%s','%s','%s')", 
-	tableName,  el->ix,  db,  name,  who,  version,  updateTime,  comment,  source,  dateReference);
-sqlUpdate(conn, update->string);
-freeDyString(&update);
-freez(&db);
-freez(&name);
-freez(&who);
-freez(&version);
-freez(&updateTime);
-freez(&comment);
-freez(&source);
-freez(&dateReference);
-}
 
 struct trackVersion *trackVersionCommaIn(char **pS, struct trackVersion *ret)
 /* Create a trackVersion out of a comma separated string. 
  * This will fill in ret if non-null, otherwise will
  * return a new trackVersion */
 {
 char *s = *pS;
 
 if (ret == NULL)
     AllocVar(ret);
 ret->ix = sqlSignedComma(&s);
 ret->db = sqlStringComma(&s);
 ret->name = sqlStringComma(&s);
 ret->who = sqlStringComma(&s);
 ret->version = sqlStringComma(&s);
@@ -246,25 +211,25 @@
 fputc(lastSep,f);
 }
 
 /* -------------------------------- End autoSql Generated Code -------------------------------- */
 
 struct trackVersion *getTrackVersion(char *database, char *track)
 // Get most recent trackVersion for given track in given database
 {
 boolean trackVersionExists = !trackHubDatabase(database) && hTableExists("hgFixed", "trackVersion");
 struct trackVersion *trackVersion = NULL;
 if (trackVersionExists)
     {
     char query[256];
     struct sqlConnection *conn = hAllocConn(database);
 
-    safef(query, sizeof(query), "select * from hgFixed.trackVersion where db = '%s' AND name = '%s' order by ix DESC limit 1", database, track);
+    sqlSafef(query, sizeof(query), "select * from hgFixed.trackVersion where db = '%s' AND name = '%s' order by ix DESC limit 1", database, track);
     struct sqlResult *sr = sqlGetResult(conn, query);
     char **row;
     if ((row = sqlNextRow(sr)) != NULL)
         trackVersion = trackVersionLoad(row);
     sqlFreeResult(&sr);
     hFreeConn(&conn);
     }
 return trackVersion;
 }