bd0c10be3b38ca182488da41005794927a2cbfdd
galt
  Mon Jul 8 14:57:40 2013 -0700
fixed unvetted query from sql in a trackDbSetting idInUrlSql
diff --git src/hg/hgc/hgc.c src/hg/hgc/hgc.c
index 88d6cf4..a6a247c 100644
--- src/hg/hgc/hgc.c
+++ src/hg/hgc/hgc.c
@@ -919,34 +919,34 @@
     for (html = htmls; html != NULL; html = html->next)
         printf("<br>\n%s\n", html->html);
     itemDetailsHtmlFreeList(&htmls);
     hFreeConn(&conn);
     }
 }
 
 char *getIdInUrl(struct trackDb *tdb, char *itemName)
 /* If we have an idInUrlSql tag, look up itemName in that, else just
  * return itemName. */
 {
 char *sql = trackDbSetting(tdb, "idInUrlSql");
 char *id = itemName;
 if (sql != NULL)
     {
-    char buf[256];
-    safef(buf, sizeof(buf), sql, itemName);
+    char query[256];
+    sqlSafef(query, sizeof(query), sql, itemName);
     struct sqlConnection *conn = hAllocConn(database);
-    id = sqlQuickString(conn, buf);
+    id = sqlQuickString(conn, query);
     hFreeConn(&conn);
     }
 return id;
 }
 
 char* replaceInUrl(struct trackDb *tdb, char *url, char *idInUrl, boolean encode) 
 /* replace $$ in url with idInUrl. Supports many other wildchards */
 {
 struct dyString *uUrl = NULL;
 struct dyString *eUrl = NULL;
 char startString[64], endString[64];
 char *ins[9], *outs[9];
 char *eItem = (encode ? cgiEncode(idInUrl) : cloneString(idInUrl));
 
 safef(startString, sizeof startString, "%d", winStart);