src/hg/mrnaToGene/mrnaToGene.c 080a160c7b9595d516c9c70e83689a09b60839d0

080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/mrnaToGene/mrnaToGene.c src/hg/mrnaToGene/mrnaToGene.c
index 3b0b075..1c4756c 100644
--- src/hg/mrnaToGene/mrnaToGene.c
+++ src/hg/mrnaToGene/mrnaToGene.c
@@ -121,31 +121,31 @@
     if (!isdigit(*verPtr))
         return -1;
     verPtr++;
     }
 return dotIdx;
 }
 
 char *cdsQuery(struct sqlConnection *conn, char *acc, char *cdsBuf, int cdsBufSize)
 /* query for a CDS, either in the hash table or database */
 {
 if (gCdsTable != NULL)
     return hashFindVal(gCdsTable, acc);
 else
     {
     char query[512];
-    safef(query, sizeof(query),
+    sqlSafef(query, sizeof(query),
           "SELECT cds.name FROM cds,gbCdnaInfo WHERE (gbCdnaInfo.acc = '%s') AND (gbCdnaInfo.cds !=0) AND (gbCdnaInfo.cds = cds.id)",
           acc);
     return sqlQuickQuery(conn, query, cdsBuf, cdsBufSize);
     }
 }
 
 char *getCdsForAcc(struct sqlConnection *conn, char *acc, char *cdsBuf, int cdsBufSize)
 /* look up a cds, trying with and without version, and optionally dropping unique suffix */
 {
 char *dash = NULL;
 if (gIgnoreUniqSuffix)
     {
     dash = strrchr(acc, '-');
     if (dash != NULL)
         *dash = '\0';
@@ -257,31 +257,31 @@
 {
 struct psl *psl = pslLoad(row+1);
 struct  genbankCds cds;
 genbankCdsParse(row[0], &cds);
 convertPsl(psl, &cds, genePredFh);
 pslFree(&psl);
 }
 
 void convertPslTable(struct sqlConnection *conn, char *pslTable, FILE *genePredFh)
 /* convert mrnas in a psl table to genePred objects */
 {
 char query[512], **row;
 struct sqlResult *sr;
 
 /* generate join of cds with psls */
-safef(query, sizeof(query),
+sqlSafef(query, sizeof(query),
       "SELECT cds.name,matches,misMatches,repMatches,nCount,qNumInsert,qBaseInsert,tNumInsert,tBaseInsert,strand,qName,qSize,qStart,qEnd,tName,tSize,tStart,tEnd,blockCount,blockSizes,qStarts,tStarts "
       "FROM cds,%s,gbCdnaInfo WHERE (%s.qName = gbCdnaInfo.acc) AND (gbCdnaInfo.cds !=0) AND (gbCdnaInfo.cds = cds.id)",
       pslTable, pslTable);
 sr = sqlGetResult(conn, query);
 while ((row = sqlNextRow(sr)) != NULL)
     convertPslTableRow(row, genePredFh);
 sqlFreeResult(&sr);
 }
 
 void convertPslFileRow(struct sqlConnection *conn, char **row, FILE *genePredFh)
 /* A row from the PSL file, getting CDS */
 {
 struct psl *psl = pslLoad(row);
 struct  genbankCds cds = getCds(conn, psl);
 convertPsl(psl, &cds, genePredFh);