080a160c7b9595d516c9c70e83689a09b60839d0
galt
Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/hg/useCount/useCount.c src/hg/useCount/useCount.c
index ab7fdad..d318178 100644
--- src/hg/useCount/useCount.c
+++ src/hg/useCount/useCount.c
@@ -27,34 +27,34 @@
char safeAddr[255];
snprintf(safeAddr, sizeof(safeAddr), "%s", remoteAddr);
char safeVersion[255];
snprintf(safeVersion, sizeof(safeVersion), "%s", version);
printf("Content-Type:text/html\n\n\n");
printf("");
printf("\n");
struct sqlConnection *conn = hConnectCentral();
if (conn)
{
char query[1024];
if (sqlTableExists(conn, useCount))
{
- safef(query, sizeof(query), "INSERT %s VALUES(0,\"%s\",\"%s\",now(),\"%s\")",
+ sqlSafef(query, sizeof(query), "INSERT %s VALUES(0,\"%s\",\"%s\",now(),\"%s\")",
useCount, safeAgent, safeAddr, safeVersion);
sqlUpdate(conn,query);
count = sqlLastAutoId(conn);
- safef(query, sizeof(query), "SELECT dateTime FROM %s WHERE count=%d",
+ sqlSafef(query, sizeof(query), "SELECT dateTime FROM %s WHERE count=%d",
useCount, count);
(void) sqlQuickQuery(conn, query, dateTime, sizeof(dateTime));
}
else
{
printf("ERROR: can not find table '%s'
\n", useCount);
}
hDisconnectCentral(&conn);
}
printf("count: %d, date: %s
\n", count, dateTime);
printf("\n");
return 0;
}