f4e7240b8daa1a7a7ab5326edc6c60be62a0e96d
max
  Mon Jun 24 13:28:07 2013 -0700
changing sqlinc printf to use %-s instead of append
diff --git src/hg/hgc/pubs.c src/hg/hgc/pubs.c
index e001483..fa46369 100644
--- src/hg/hgc/pubs.c
+++ src/hg/hgc/pubs.c
@@ -278,31 +278,31 @@
 /* query marker rows from mysql, based on http parameters  */
 {
 /* Mysql specific setting to make the group_concat function return longer strings */
 sqlUpdate(conn, "NOSQLINJ SET SESSION group_concat_max_len = 100000");
 
 // rather ugly compared to single safef line, but needed to rewrite with dyString for sql inj
 struct dyString *query = newDyString(4000);
 sqlDyStringPrintf(query,"SELECT distinct ");
 sqlDyStringPrintf(query, "%s.articleId,url,title,authors,citation,pmid,extId, ", markerTable);
 sqlDyStringPrintf(query, 
     "group_concat(snippet, concat(\" (section: \", section, \")\") SEPARATOR ' (...) ') FROM %s ",
     markerTable);
 sqlDyStringPrintf(query, "JOIN %s USING (articleId) ", articleTable);
 sqlDyStringPrintf(query, "WHERE markerId='%s' AND section in (", item);
 // this part triggered sql injection warning as the section list includes ' and ,
-sqlDyStringAppend(query, sectionList);
+sqlDyStringPrintf(query, "%-s", sectionList);
 sqlDyStringPrintf(query, ") GROUP BY articleId ORDER BY year DESC LIMIT %d", itemLimit);
 
 if (pubsDebug)
     printf("%s", query->string);
 
 struct sqlResult *sr = sqlGetResult(conn, query->string);
 
 return sr;
 }
 
 
 static void printSectionCheckboxes()
 /* show a little form with checkboxes where user can select sections they want to show */
 {
 // labels to show to user, have to correspond to pubsSecNames