080a160c7b9595d516c9c70e83689a09b60839d0 galt Mon Jun 3 12:16:53 2013 -0700 fix SQL Injection diff --git src/hg/lib/variome.c src/hg/lib/variome.c index 03fb830..fed6085 100644 --- src/hg/lib/variome.c +++ src/hg/lib/variome.c @@ -111,80 +111,39 @@ while ((row = sqlNextRow(sr)) != NULL) { el = variomeLoad(row); slAddHead(&list, el); } slReverse(&list); sqlFreeResult(&sr); return list; } void variomeSaveToDb(struct sqlConnection *conn, struct variome *el, char *tableName, int updateSize) /* Save variome as a row to the table specified by tableName. * As blob fields may be arbitrary size updateSize specifies the approx size * of a string that would contain the entire query. Arrays of native types are * converted to comma separated strings and loaded as such, User defined types are - * inserted as NULL. Note that strings must be escaped to allow insertion into the database. - * For example "autosql's features include" --> "autosql\'s features include" - * If worried about this use variomeSaveToDbEscaped() */ + * inserted as NULL. Strings are automatically escaped to allow insertion into the database. */ { struct dyString *update = newDyString(updateSize); -dyStringPrintf(update, "insert into %s values ( %u,'%s',%u,%u,'%s',%u,'%s','%s','%s','%s','%s','%s','%s','%s',%u,'%s')", +sqlDyStringPrintf(update, "insert into %s values ( %u,'%s',%u,%u,'%s',%u,'%s','%s','%s','%s','%s','%s','%s','%s',%u,'%s')", tableName, el->bin, el->chrom, el->chromStart, el->chromEnd, el->name, el->score, el->strand, el->db, el->owner, el->color, el->class, el->creationDate, el->lastModifiedDate, el->descriptionKey, el->id, el->geneSymbol); sqlUpdate(conn, update->string); freeDyString(&update); } -void variomeSaveToDbEscaped(struct sqlConnection *conn, struct variome *el, char *tableName, int updateSize) -/* Save variome as a row to the table specified by tableName. - * As blob fields may be arbitrary size updateSize specifies the approx size. - * of a string that would contain the entire query. Automatically - * escapes all simple strings (not arrays of string) but may be slower than variomeSaveToDb(). - * For example automatically copies and converts: - * "autosql's features include" --> "autosql\'s features include" - * before inserting into database. */ -{ -struct dyString *update = newDyString(updateSize); -char *chrom, *name, *strand, *db, *owner, *color, *class, *creationDate, *lastModifiedDate, *descriptionKey, *geneSymbol; -chrom = sqlEscapeString(el->chrom); -name = sqlEscapeString(el->name); -strand = sqlEscapeString(el->strand); -db = sqlEscapeString(el->db); -owner = sqlEscapeString(el->owner); -color = sqlEscapeString(el->color); -class = sqlEscapeString(el->class); -creationDate = sqlEscapeString(el->creationDate); -lastModifiedDate = sqlEscapeString(el->lastModifiedDate); -descriptionKey = sqlEscapeString(el->descriptionKey); -geneSymbol = sqlEscapeString(el->geneSymbol); - -dyStringPrintf(update, "insert into %s values ( %u,'%s',%u,%u,'%s',%u,'%s','%s','%s','%s','%s','%s','%s','%s',%u,'%s')", - tableName, el->bin, chrom, el->chromStart, el->chromEnd, name, el->score, strand, db, owner, color, class, creationDate, lastModifiedDate, descriptionKey, el->id, geneSymbol); -sqlUpdate(conn, update->string); -freeDyString(&update); -freez(&chrom); -freez(&name); -freez(&strand); -freez(&db); -freez(&owner); -freez(&color); -freez(&class); -freez(&creationDate); -freez(&lastModifiedDate); -freez(&descriptionKey); -freez(&geneSymbol); -} struct variome *variomeCommaIn(char **pS, struct variome *ret) /* Create a variome out of a comma separated string. * This will fill in ret if non-null, otherwise will * return a new variome */ { char *s = *pS; if (ret == NULL) AllocVar(ret); ret->bin = sqlUnsignedComma(&s); ret->chrom = sqlStringComma(&s); ret->chromStart = sqlUnsignedComma(&s); ret->chromEnd = sqlUnsignedComma(&s); ret->name = sqlStringComma(&s); @@ -316,31 +275,31 @@ char *variomeCoorList[] = { "exact coordinates", "estimated coordinates", }; int variomeClassCnt = ArraySize(variomeClassList); struct variome *findVariomeItemId(char *db, char *wikiItemId) /* given a wikiItemId return the row from the table */ { struct variome *item; char query[256]; struct sqlConnection *conn = wikiConnect(); -safef(query, ArraySize(query), "SELECT * FROM variome WHERE id='%s' limit 1", +sqlSafef(query, ArraySize(query), "SELECT * FROM variome WHERE id='%s' limit 1", wikiItemId); item = variomeLoadByQuery(conn, query); if (NULL == item) errAbort("display wiki item: failed to load item '%s'", wikiItemId); wikiDisconnect(&conn); return item; } /* use functions from lib/wikiTrack.c, lib/wikiLink.c for accessing wiki pages */ int addVariomeItem(char *db, char *chrom, int start, int end, char *name, int score, char *strand, char *owner, char *class, char *color, char *category, char *geneSymbol, char *wikiKey) @@ -359,65 +318,65 @@ safef(newItem->strand, sizeof(newItem->strand), "%s", "+"); else if (sameString(strand, "minus")) safef(newItem->strand, sizeof(newItem->strand), "%s", "-"); else safef(newItem->strand, sizeof(newItem->strand), "%s", " "); newItem->db = cloneString(db); newItem->owner = cloneString(owner); newItem->class = cloneString(class); newItem->color = cloneString(color); newItem->creationDate = cloneString("0"); newItem->lastModifiedDate = cloneString("0"); newItem->descriptionKey = cloneString("0"); newItem->id = 0; newItem->geneSymbol = cloneString(geneSymbol); -variomeSaveToDbEscaped(conn, newItem, "variome", 1024); +variomeSaveToDb(conn, newItem, "variome", 1024); int id = sqlLastAutoId(conn); char descriptionKey[256]; /* when wikiKey is NULL, assign the default key of category:db-id, * else, it is the proper key */ if (wikiKey) safef(descriptionKey,ArraySize(descriptionKey), "%s", wikiKey); else safef(descriptionKey,ArraySize(descriptionKey), "%s:%s-%d", category, db, id); variomeFree(&newItem); char query[1024]; -safef(query, ArraySize(query), "UPDATE %s set creationDate=now(),lastModifiedDate=now(),descriptionKey='%s' WHERE id='%d'", +sqlSafef(query, ArraySize(query), "UPDATE %s set creationDate=now(),lastModifiedDate=now(),descriptionKey='%s' WHERE id='%d'", "variome", descriptionKey, id); sqlUpdate(conn,query); wikiDisconnect(&conn); return (id); } void updateVariomeLastModifiedDate(char *db, int id) /* set lastModifiedDate to now() */ { char query[512]; struct sqlConnection *conn = wikiConnect(); -safef(query, ArraySize(query), +sqlSafef(query, ArraySize(query), "UPDATE %s set lastModifiedDate=now() WHERE id='%d'", "variome", id); sqlUpdate(conn,query); wikiDisconnect(&conn); } void deleteVariomeItem(char *db, int id) /* delete the item with specified id */ { char query[512]; struct sqlConnection *conn = wikiConnect(); -safef(query, ArraySize(query), "DELETE FROM %s WHERE id='%d'", +sqlSafef(query, ArraySize(query), "DELETE FROM %s WHERE id='%d'", "variome", id); sqlUpdate(conn,query); wikiDisconnect(&conn); } /* prefixComments and addDescription used from wikiTrack.c */