src/oneShot/jksql/jksql.c 080a160c7b9595d516c9c70e83689a09b60839d0

080a160c7b9595d516c9c70e83689a09b60839d0
galt
  Mon Jun 3 12:16:53 2013 -0700
fix SQL Injection
diff --git src/oneShot/jksql/jksql.c src/oneShot/jksql/jksql.c
index 715e06f..cc0f690 100644
--- src/oneShot/jksql/jksql.c
+++ src/oneShot/jksql/jksql.c
@@ -260,91 +260,91 @@
 ef->qStart = numString(row[7]);
 ef->qEnd = numString(row[8]);
 ef->qName = cloneString(s);
 return ef;
 }
 
 struct ensFeature *ensFeatForBac(struct sqlConnection *conn, char *clone)
 /* Get list of features associated with BAC clone. */
 {
 unsigned int field_count;
 char query[256];
 struct sqlResult *sr;
 struct ensFeature *efList = NULL, *ef;
 long startTime, endTime;
 
-sprintf(query, "select * from feature where contig like '%s%%'", clone);
+sqlSafef(query, sizeof query, "select * from feature where contig like '%s%%'", clone);
 startTime = clock1000();
 sr = sqlQueryUse(conn, query);
 if (sr == NULL)
     printf("empty query\n");
 else
     {
     MYSQL_RES *res = sr->result;
     MYSQL_ROW row;
     
     while ((row = mysql_fetch_row(res)) != NULL)
 	{
 	ef = featFromRow(res, row);
 	slAddHead(&efList, ef);
 	}
     endTime = clock1000();
     printf("count = %d time = %4.3f\n", slCount(efList), 0.001*(endTime-startTime));
     }
 sqlFreeResult(&sr);
 return efList;
 }
 
 struct slName *ensGenesInBacRange(struct sqlConnection *conn, char *bacName, int start, int end)
 /* Get list of genes in bac. */
 {
 char query[512];
 struct sqlResult *sr;
 struct slName *geneList = 0, *gene;
 
-sprintf(query,
+sqlSafef(query, sizeof query,
   "SELECT transcript.gene "
   "FROM geneclone_neighbourhood,transcript,translation "
   "WHERE geneclone_neighbourhood.clone = '%s' "
   " AND transcript.gene = geneclone_neighbourhood.gene "
   " AND transcript.translation = translation.id "
   " AND translation.seq_start >= %d "
   " AND translation.seq_end < %d"  ,
   bacName, start, end);
 sr = sqlQueryUse(conn, query);
 if (sr != NULL)
     {
     MYSQL_RES *res = sr->result;
     MYSQL_ROW row;
     while ((row = mysql_fetch_row(res)) != NULL)
 	{
 	gene = newSlName(row[0]);
 	slAddHead(&geneList, gene);
 	}
     }
 sqlFreeResult(&sr);
 return geneList;
 }
 
 struct slName *ensGenesInBac(struct sqlConnection *conn, char *bacName)
 /* Get list of genes in bac. */
 {
 char query[512];
 struct sqlResult *sr;
 struct slName *geneList = 0, *gene;
 
-sprintf(query,
+sqlSafef(query,
   "SELECT transcript.gene "
   "FROM geneclone_neighbourhood,transcript,translation "
   "WHERE geneclone_neighbourhood.clone = '%s' "
   " AND transcript.gene = geneclone_neighbourhood.gene "
   " AND transcript.translation = translation.id ",
   bacName);
 sr = sqlQueryUse(conn, query);
 if (sr != NULL)
     {
     MYSQL_RES *res = sr->result;
     MYSQL_ROW row;
     while ((row = mysql_fetch_row(res)) != NULL)
 	{
 	gene = newSlName(row[0]);
 	slAddHead(&geneList, gene);