b651efa6dd03dea5a8470ba80b4720bddbb999a3 galt Thu Aug 15 17:18:52 2013 -0700 fixing minor anti-sqli problems diff --git src/hg/qaPushQ/qaPushQ.c src/hg/qaPushQ/qaPushQ.c index 44edbb2..9057f87 100644 --- src/hg/qaPushQ/qaPushQ.c +++ src/hg/qaPushQ/qaPushQ.c @@ -3284,31 +3284,31 @@ void doDrawReleaseLog(boolean isEncode) /* Test - draw the release log using log data in pushQ */ { char *centraldb = NULL; char *chost = NULL; char *cuser = NULL; char *cpassword = NULL; struct sqlConnection *betaconn = NULL; struct dbDb *ki=NULL, *kiList=NULL, *dbDbTemp=NULL; struct sqlResult *sr; char **row; -char query[256]; +char query[1024]; char tempName[256]; char now[256]; int m=0,d=0; int topCount=0; char *encodeClause = ""; if (isEncode) encodeClause = " and releaseLog like '%ENCODE%'"; ZeroVar(&dbDbTemp); chost = cfgOption("rrcentral.host" ); @@ -3346,31 +3346,31 @@ // are we really only allowed one remoteconn at a time? conn = sqlConnectRemote(host, user, password, database); /* filter the db list to make sure we actually have data */ struct dbDb *newList=NULL, *kiNext; for (ki = kiList; ki != NULL; ki = kiNext) { kiNext = ki->next; sqlSafef(query,sizeof(query), "select count(*) from pushQ " "where priority='L' and releaseLog != '' and (" "dbs like '%s' or " "dbs like '%s %%' or " "dbs like '%% %s' or " "dbs like '%% %s %%'" - ") %s" + ") %-s" "order by qadate desc, qid desc", ki->name, ki->name, ki->name, ki->name, encodeClause ); if (sqlQuickNum(conn, query) > 0) { slAddHead(&newList, ki); } } slReverse(&newList); kiList = newList; /* 10 Latest Changes */ @@ -3396,31 +3396,31 @@ strftime (now, sizeof(now), "%02d %b %Y", loctime); /* default to today's date */ printf("<em>Last updated %s. <a HREF=\"/contacts.html\">Inquiries and feedback welcome</a>.</em>\n",now); /* 10 LATEST CHANGES */ webNewSection("<A NAME=recent></A> 10 Latest Changes (all assemblies)"); printf("<TABLE CELLPADDING=4 style='border:1px solid #aaaaaa; width:100%%;'>\n" "<TR>\n" "<TD nowrap><B style='color:#006666;'>Track/Table Name</B></TD>\n" "<TD nowrap><B style='color:#006666;'>Assembly</B></TD>\n" "<TD nowrap><B style='color:#006666;'>Release Date</B></TD>\n" "</TR>\n" ); sqlSafef(query,sizeof(query), "select releaseLog, dbs, qadate, releaseLogUrl from pushQ " - "where priority='L' and releaseLog != '' and dbs != '' %s" + "where priority='L' and releaseLog != '' and dbs != '' %-s" "order by qadate desc, qid desc ", encodeClause ); sr = sqlGetResult(conn, query); while ((row = sqlNextRow(sr)) != NULL) { sscanf(cloneStringZ(&row[2][5],2),"%d",&m); sscanf(cloneStringZ(&row[2][8],2),"%d",&d); { /* parse dblist and make sure it's kosher and active=1 good */ char* dbs = cloneString(row[1]); char dbsComma[1024]; char dbsSpace[1024]; struct dyString* dbList = newDyString(1024); int j = 0, jj = 0; char* sep = ""; boolean found = FALSE; @@ -3488,31 +3488,31 @@ webNewSection("<A NAME=%s></A>%s %s (%s, %s)", ki->name, tempName, ki->description, ki->name, ki->sourceName); printf("<TABLE CELLPADDING=4 style='border:1px solid #aaaaaa; width:100%%;'>\n" "<TR><TD nowrap><B style='color:#006666;'>Track/Table Name</B></TD>\n" " <TD nowrap><B style='color:#006666;'>Release Date</B>\n" "</TD></TR>\n"); sqlSafef(query,sizeof(query), "select releaseLog, qadate, releaseLogUrl from pushQ " "where priority='L' and releaseLog != '' and (" "dbs like '%s' or " "dbs like '%s %%' or " "dbs like '%% %s' or " "dbs like '%% %s %%'" - ") %s" + ") %-s" "order by qadate desc, qid desc", ki->name, ki->name, ki->name, ki->name, encodeClause ); //printf("query=%s\n",query); sr = sqlGetResult(conn, query); while ((row = sqlNextRow(sr)) != NULL) { sscanf(cloneStringZ(&row[1][5],2),"%d",&m); sscanf(cloneStringZ(&row[1][8],2),"%d",&d); printf("<TR valign=top><TD align=left>\n"); if (sameOk(row[2], ""))