3d69ea28831dc638c132ff401bb0525c8e88236d
galt
  Mon Jun 24 18:38:40 2013 -0700
going back to using %-s in sqlSafef rather than the sqlDyString functions
diff --git src/hg/hgc/pubs.c src/hg/hgc/pubs.c
index fa46369..d78f418 100644
--- src/hg/hgc/pubs.c
+++ src/hg/hgc/pubs.c
@@ -265,50 +265,49 @@
 }
 
 if (names==0)
     errAbort("You need to specify at least one article section.");
 
 char *nameListString = slNameListToString(names, ',');
 slNameFree(names);
 return nameListString;
 }
 
 
 static struct sqlResult *queryMarkerRows(struct sqlConnection *conn, char *markerTable, \
     char *articleTable, char *item, int itemLimit, char *sectionList)
 /* query marker rows from mysql, based on http parameters  */
 {
+char query[4000];
 /* Mysql specific setting to make the group_concat function return longer strings */
 sqlUpdate(conn, "NOSQLINJ SET SESSION group_concat_max_len = 100000");
 
-// rather ugly compared to single safef line, but needed to rewrite with dyString for sql inj
-struct dyString *query = newDyString(4000);
-sqlDyStringPrintf(query,"SELECT distinct ");
-sqlDyStringPrintf(query, "%s.articleId,url,title,authors,citation,pmid,extId, ", markerTable);
-sqlDyStringPrintf(query, 
-    "group_concat(snippet, concat(\" (section: \", section, \")\") SEPARATOR ' (...) ') FROM %s ",
-    markerTable);
-sqlDyStringPrintf(query, "JOIN %s USING (articleId) ", articleTable);
-sqlDyStringPrintf(query, "WHERE markerId='%s' AND section in (", item);
-// this part triggered sql injection warning as the section list includes ' and ,
-sqlDyStringPrintf(query, "%-s", sectionList);
-sqlDyStringPrintf(query, ") GROUP BY articleId ORDER BY year DESC LIMIT %d", itemLimit);
+// no need to check for illegal characters in sectionList
+sqlSafef(query, sizeof(query), "SELECT distinct %s.articleId, url, title, authors, citation, "  
+    "pmid, extId, "
+    "group_concat(snippet, concat(\" (section: \", section, \")\") SEPARATOR ' (...) ') FROM %s "
+    "JOIN %s USING (articleId) "
+    "WHERE markerId='%s' AND section in (%-s) "
+    "GROUP by articleId "
+    "ORDER BY year DESC "
+    "LIMIT %d",
+    markerTable, markerTable, articleTable, item, sectionList, itemLimit);
 
 if (pubsDebug)
-    printf("%s", query->string);
+    printf("%s", query);
 
-struct sqlResult *sr = sqlGetResult(conn, query->string);
+struct sqlResult *sr = sqlGetResult(conn, query);
 
 return sr;
 }
 
 
 static void printSectionCheckboxes()
 /* show a little form with checkboxes where user can select sections they want to show */
 {
 // labels to show to user, have to correspond to pubsSecNames
 char *secLabels[] ={
       "Title", "Abstract",
       "Introduction", "Methods",
       "Results", "Discussion",
       "Conclusions", "Acknowledgements",
       "References", "Undetermined section (e.g. for a brief communication)" };
@@ -337,39 +336,34 @@
 }
 
 printf("<INPUT TYPE=\"hidden\" name=\"o\" value=\"%s\" />\n", cgiString("o"));
 printf("<INPUT TYPE=\"hidden\" name=\"g\" value=\"%s\" />\n", cgiString("g"));
 printf("<INPUT TYPE=\"hidden\" name=\"t\" value=\"%s\" />\n", cgiString("t"));
 printf("<INPUT TYPE=\"hidden\" name=\"i\" value=\"%s\" />\n", cgiString("i"));
 printf("<INPUT TYPE=\"hidden\" name=\"hgsid\" value=\"%d\" />\n", cart->sessionId);
 printf("<BR>");
 printf("<INPUT TYPE=\"submit\" VALUE=\"Submit\" />\n");
 printf("</FORM><P>\n");
 }
 
 static void printLimitWarning(struct sqlConnection *conn, char *markerTable, 
     char *item, int itemLimit, char *sectionList)
 {
-//char query[4000];
-struct dyString *query = newDyString(4000);
-sqlDyStringPrintf(query, "SELECT COUNT(*) from ");
-dyStringAppend(query, markerTable); 
-sqlDyStringPrintf(query, " WHERE markerId='%s' AND section in ", item);
-dyStringPrintf(query, " (%s) ", sectionList); // no need to check for illegal characters here
-
-//sqlSafef(query, sizeof(query), "SELECT COUNT(*) from %s WHERE markerId='%s' AND section in (%s) ", markerTable, item, sectionList);
-if (sqlNeedQuickNum(conn, query->string) > itemLimit) 
+char query[4000];
+// no need to check for illegal characters in sectionList
+sqlSafef(query, sizeof(query), "SELECT COUNT(*) from %s WHERE markerId='%s' AND section in (%-s) ", markerTable, item, sectionList);
+if (sqlNeedQuickNum(conn, query) > itemLimit) 
 {
     printf("<b>This marker is mentioned more than %d times</b><BR>\n", itemLimit);
     printf("The results would take too long to load in your browser and are "
     "therefore limited to %d articles.<P>\n", itemLimit);
 }
 }
 
 static void printMarkerSnippets(struct sqlConnection *conn, char *articleTable, char *markerTable, char *item)
 {
 
 /* do not show more snippets than this limit */
 int itemLimit=100;
 
 printSectionCheckboxes();
 char *sectionList = makeSqlMarkerList();