src/hg/sqlToXml/sqlToXml.c 080a160c7b9595d516c9c70e83689a09b60839d0

080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/sqlToXml/sqlToXml.c src/hg/sqlToXml/sqlToXml.c
index 94640d2..259bbb7 100644
--- src/hg/sqlToXml/sqlToXml.c
+++ src/hg/sqlToXml/sqlToXml.c
@@ -299,31 +299,31 @@
 lineFileClose(&lf);
 return root;
 }
 
 struct hash *tablesAndFields(struct sqlConnection *conn)
 /* Get hash of all tables.  Hash is keyed by table name.
  * Hash values are lists of typedField.   */
 {
 struct hash *hash = hashNew(0);
 struct slName *table, *tableList = sqlListTables(conn);
 for (table = tableList; table != NULL; table = table->next)
     {
     char query[256], **row;
     struct sqlResult *sr;
     struct typedField *fieldList = NULL, *field;
-    safef(query, sizeof(query), "describe %s", table->name);
+    sqlSafef(query, sizeof(query), "describe %s", table->name);
     sr = sqlGetResult(conn, query);
     while ((row = sqlNextRow(sr)) != NULL)
         {
 	char *name = row[0];
 	char *type = row[1];
 	char code = '"';
 	if ( startsWith("int", type)  
 	  || startsWith("float", type)
 	  || startsWith("tinyint", type)
 	  || startsWith("smallint", type))
 	    code = ' ';
 	AllocVar(field);
 	field->name = cloneString(name);
 	field->type = code;
 	slAddHead(&fieldList, field);
@@ -417,31 +417,31 @@
 	    }
 	if (tree->gotChildTags)
 	    if (!tree->hideTable)
 		fprintf(f, "\n");
 	for (branch = tree->children; branch != NULL; branch = branch->next)
 	    {
 	    char *target = branch->target;
 	    if (sameString(target, "text"))
 	        ;
 	    else if (!sameString(target, "hide"))
 		{
 		struct dyString *sql = dyStringNew(0);
 		int newDepth = depth;
 		if (!tree->hideTable)
 		    newDepth += 1;
-		dyStringPrintf(sql, "select * from %s where %s = ",
+		sqlDyStringPrintf(sql, "select * from %s where %s = ",
 			branch->targetTable, target);
 		if (branch->needsQuote)
 		    dyStringPrintf(sql, "\"%s\"", row[branch->fieldIx]);
 		else
 		    dyStringPrintf(sql, "%s", row[branch->fieldIx]);
 		if (maxList != 0)
 		    dyStringPrintf(sql, " limit %d", maxList);
 		rSqlToXml(cc, database, branch->targetTable, branch->targetField, 
 			sql->string, tableHash, branch, f, newDepth);
 		dyStringFree(&sql);
 		}
 	    }
 	if (!tree->hideTable)
 	    {
 	    if (tree->gotChildTags)
@@ -466,31 +466,31 @@
 FILE *f = mustOpen(outputXml, "w");
 char *topTag = optionVal("topTag", database);
 char *table = tree->targetTable;
 struct dyString *sql = dyStringNew(0);
 
 if (optionExists("query"))
     {
     char *queryFile = optionVal("query", NULL);
     char *query;
     readInGulp(queryFile, &query, NULL);
     if (!stringIn(table, query))
 	errAbort("No mention of table %s in %s.", table, queryFile);
     dyStringAppend(sql, query);
     }
 else
-    dyStringPrintf(sql, "select * from %s", table);
+    sqlDyStringPrintf(sql, "select * from %s", table);
 
 if (maxList > 0)
     dyStringPrintf(sql, " limit %d", maxList);
 
 if (!sqlTableExists(conn, table))
     errAbort("No table %s in %s", table, database);
 sqlConnCacheDealloc(cc, &conn);
 
 verbose(1, "%d tables in %s\n",
 	tableHash->elCount,  database);
 
 escaper = dyStringNew(0);
 fprintf(f, "<%s>\n", topTag);
 rSqlToXml(cc, database, table, "", sql->string, tableHash, tree, f, 1);
 fprintf(f, "</%s>\n", topTag);