3d69ea28831dc638c132ff401bb0525c8e88236d galt Mon Jun 24 18:38:40 2013 -0700 going back to using %-s in sqlSafef rather than the sqlDyString functions diff --git src/hg/hgc/pubs.c src/hg/hgc/pubs.c index fa46369..d78f418 100644 --- src/hg/hgc/pubs.c +++ src/hg/hgc/pubs.c @@ -265,50 +265,49 @@ } if (names==0) errAbort("You need to specify at least one article section."); char *nameListString = slNameListToString(names, ','); slNameFree(names); return nameListString; } static struct sqlResult *queryMarkerRows(struct sqlConnection *conn, char *markerTable, \ char *articleTable, char *item, int itemLimit, char *sectionList) /* query marker rows from mysql, based on http parameters */ { +char query[4000]; /* Mysql specific setting to make the group_concat function return longer strings */ sqlUpdate(conn, "NOSQLINJ SET SESSION group_concat_max_len = 100000"); -// rather ugly compared to single safef line, but needed to rewrite with dyString for sql inj -struct dyString *query = newDyString(4000); -sqlDyStringPrintf(query,"SELECT distinct "); -sqlDyStringPrintf(query, "%s.articleId,url,title,authors,citation,pmid,extId, ", markerTable); -sqlDyStringPrintf(query, - "group_concat(snippet, concat(\" (section: \", section, \")\") SEPARATOR ' (...) ') FROM %s ", - markerTable); -sqlDyStringPrintf(query, "JOIN %s USING (articleId) ", articleTable); -sqlDyStringPrintf(query, "WHERE markerId='%s' AND section in (", item); -// this part triggered sql injection warning as the section list includes ' and , -sqlDyStringPrintf(query, "%-s", sectionList); -sqlDyStringPrintf(query, ") GROUP BY articleId ORDER BY year DESC LIMIT %d", itemLimit); +// no need to check for illegal characters in sectionList +sqlSafef(query, sizeof(query), "SELECT distinct %s.articleId, url, title, authors, citation, " + "pmid, extId, " + "group_concat(snippet, concat(\" (section: \", section, \")\") SEPARATOR ' (...) ') FROM %s " + "JOIN %s USING (articleId) " + "WHERE markerId='%s' AND section in (%-s) " + "GROUP by articleId " + "ORDER BY year DESC " + "LIMIT %d", + markerTable, markerTable, articleTable, item, sectionList, itemLimit); if (pubsDebug) - printf("%s", query->string); + printf("%s", query); -struct sqlResult *sr = sqlGetResult(conn, query->string); +struct sqlResult *sr = sqlGetResult(conn, query); return sr; } static void printSectionCheckboxes() /* show a little form with checkboxes where user can select sections they want to show */ { // labels to show to user, have to correspond to pubsSecNames char *secLabels[] ={ "Title", "Abstract", "Introduction", "Methods", "Results", "Discussion", "Conclusions", "Acknowledgements", "References", "Undetermined section (e.g. for a brief communication)" }; @@ -337,39 +336,34 @@ } printf("<INPUT TYPE=\"hidden\" name=\"o\" value=\"%s\" />\n", cgiString("o")); printf("<INPUT TYPE=\"hidden\" name=\"g\" value=\"%s\" />\n", cgiString("g")); printf("<INPUT TYPE=\"hidden\" name=\"t\" value=\"%s\" />\n", cgiString("t")); printf("<INPUT TYPE=\"hidden\" name=\"i\" value=\"%s\" />\n", cgiString("i")); printf("<INPUT TYPE=\"hidden\" name=\"hgsid\" value=\"%d\" />\n", cart->sessionId); printf("<BR>"); printf("<INPUT TYPE=\"submit\" VALUE=\"Submit\" />\n"); printf("</FORM><P>\n"); } static void printLimitWarning(struct sqlConnection *conn, char *markerTable, char *item, int itemLimit, char *sectionList) { -//char query[4000]; -struct dyString *query = newDyString(4000); -sqlDyStringPrintf(query, "SELECT COUNT(*) from "); -dyStringAppend(query, markerTable); -sqlDyStringPrintf(query, " WHERE markerId='%s' AND section in ", item); -dyStringPrintf(query, " (%s) ", sectionList); // no need to check for illegal characters here - -//sqlSafef(query, sizeof(query), "SELECT COUNT(*) from %s WHERE markerId='%s' AND section in (%s) ", markerTable, item, sectionList); -if (sqlNeedQuickNum(conn, query->string) > itemLimit) +char query[4000]; +// no need to check for illegal characters in sectionList +sqlSafef(query, sizeof(query), "SELECT COUNT(*) from %s WHERE markerId='%s' AND section in (%-s) ", markerTable, item, sectionList); +if (sqlNeedQuickNum(conn, query) > itemLimit) { printf("<b>This marker is mentioned more than %d times</b><BR>\n", itemLimit); printf("The results would take too long to load in your browser and are " "therefore limited to %d articles.<P>\n", itemLimit); } } static void printMarkerSnippets(struct sqlConnection *conn, char *articleTable, char *markerTable, char *item) { /* do not show more snippets than this limit */ int itemLimit=100; printSectionCheckboxes(); char *sectionList = makeSqlMarkerList();