src/hg/lib/jksql.c 49196327822a90f73d639340b14f8ab3e16924a2

49196327822a90f73d639340b14f8ab3e16924a2
galt
  Thu Sep 12 10:26:09 2013 -0700
because Ubuntu currently has a hard time getting pstack to work, I do not want any dumpStack statements that cannot be turned off by a flag in hg.conf
diff --git src/hg/lib/jksql.c src/hg/lib/jksql.c
index 60be68c..aed1015 100644
--- src/hg/lib/jksql.c
+++ src/hg/lib/jksql.c
@@ -909,30 +909,31 @@
 
 // additional check finds errors of multiple NOSQLINJ tags
 if (strstr(query, "NOSQLINJ "))
     {
     sqlCheckError("Oops, multiple occurrences of NOSQLINJ tag in query: %s", query);
     query = replaceChars(query, "NOSQLINJ ", "");
     fixedMultipleNOSQLINJ = TRUE;
     }
 
 monitorEnter();
 if (mysql_real_query(conn, query, strlen(query)) != 0)
     {
     if (abort)
         {
         monitorLeave();
+	if (sameOk(cfgOption("noSqlInj.dumpStack"), "on"))
     	    dumpStack("DEBUG Can't start query"); // Extra debugging info. DEBUG REMOVE
 	sqlAbort(sc, "Can't start query:\n%s\n", query);
         }
     }
 else
     {
     MYSQL_RES *resSet;
     if ((resSet = getter(conn)) == NULL)
 	{
 	if (mysql_errno(conn) != 0)
 	    {
             monitorLeave();
 	    sqlAbort(sc, "Can't use query:\n%s", query);
 	    }
 	}
@@ -1089,52 +1090,57 @@
 /* Return TRUE if database exists. */
 {
 struct sqlConnection *conn = sqlMayConnect(database);
 boolean exists = (conn != NULL);
 sqlDisconnect(&conn);
 return exists;
 }
 
 boolean sqlTableExists(struct sqlConnection *sc, char *table)
 /* Return TRUE if a table exists. */
 {
 char query[256];
 struct sqlResult *sr;
 if (sameString(table,""))
     {
+    if (sameOk(cfgOption("noSqlInj.dumpStack"), "on"))
 	dumpStack("jksql sqlTableExists: Buggy code is feeding me empty table name. table=[%s].\n", table); fflush(stderr); // log only
     return FALSE;
     }
 // TODO If the ability to supply a list of tables is hardly used,
 // then we could switch it to simply %s below supporting a single
 // table at a time more securely.
 if (strchr(table,','))
+    {
+    if (sameOk(cfgOption("noSqlInj.dumpStack"), "on"))
 	dumpStack("sqlTableExists called on multiple tables with table=[%s]\n", table);
+    }
 if (strchr(table,'%'))
     {
+    if (sameOk(cfgOption("noSqlInj.dumpStack"), "on"))
 	dumpStack("jksql sqlTableExists: Buggy code is feeding me junk wildcards. table=[%s].\n", table); fflush(stderr); // log only
     return FALSE;
     }
 if (strchr(table,'-'))
     {
     return FALSE;  // mysql does not allow tables with dash (-) so it will not be found.
     // hg/lib/hdb.c can generate an invalid table names with dashes while looking for split tables,
     // if the first chrom name has a dash in it. Examples found were: scaffold_0.1-193456 scaffold_0.1-13376 HERVE_a-int 1-1
     // Assembly hubs also may have dashes in chrom names.
     }
-sqlSafef(query, sizeof(query), "SELECT 1 FROM %-s LIMIT 0", sqlCkIl(table));  // DEBUG RESTORE
-//safef(query, sizeof(query), "NOSQLINJ SELECT 1 FROM %s LIMIT 0", table);  // DEBUG REMOVE
+sqlSafef(query, sizeof(query), "SELECT 1 FROM %-s LIMIT 0", sqlCkIl(table));  
+//sqlSafef(query, sizeof(query), "SELECT 1 FROM %-s LIMIT 0", sqlCkId(table));  // DEBUG RESTORE
 if ((sr = sqlUseOrStore(sc,query,mysql_use_result, FALSE)) == NULL)
     return FALSE;
 // TODO consider using sqlGetResultExt or something that would
 // allow you to abort on all errors except the actual table not found:
 // ERROR 1146 (42S02): Table 'hg19.chr_est' doesn't exist
 sqlFreeResult(&sr);
 return TRUE;
 }
 
 bool sqlColumnExists(struct sqlConnection *conn, char *tableName, char *column)
 /* return TRUE if column exists in table. tableName can contain sql wildcards  */
 {
 char query[1024];
 sqlSafef(query, 1024, "SHOW COLUMNS FROM `%s` LIKE '%s'", tableName, column);
 char buf[1024];
@@ -2778,36 +2784,36 @@
 /* Check each character of input against allowed character set */
 {
 if (!s)
     {
     sqlCheckError("sqlCheckAllowedChars - Cannot check NULL");
     return FALSE;
     }
 char *sOriginal = s;
 unsigned char c;
 while((c = *s++) != 0)
     {
     if (disAllowed[c])
 	{
 	// DEBUG REMOVE Temporary for trying to track down some weird error 
 	//  because the stackdump should appear but does not.
+	//if (sameOk(cfgOption("noSqlInj.dumpStack"), "on"))
 	//    dumpStack("character %c disallowed in sql string part %s\n", c, sOriginal);  // DEBUG REMOVE GALT 
 
 	// TODO for some reason the warn stack is messed up sometimes very eary. -- happening in hgTables position search on brca
 	//warn("character %c disallowed in sql string part %s", c, sOriginal);
 
-	// DEBUG REMOVE GALT 
 	// just using this as a work-around
 	// until the problem with early errors and warn/abort stacks has been fixed.
 	char *noSqlInjLevel = cfgOption("noSqlInj.level");
 	if (noSqlInjLevel && !sameString(noSqlInjLevel, "ignore"))
 	    {
     	    fprintf(stderr, "character %c disallowed in sql string part %s\n", c, sOriginal);  
 	    fflush(stderr);
 	    }
 
 	return FALSE;
 	}
     }
 return TRUE;
 }
 
@@ -3055,31 +3061,30 @@
 }
 
 
 int vaSqlSafefNoAbort(char* buffer, int bufSize, boolean newString, char *format, va_list args)
 /* VarArgs Format string to buffer, vsprintf style, only with buffer overflow
  * checking.  The resulting string is always terminated with zero byte.
  * Scans string parameters for illegal sql chars. 
  * Automatically escapes quoted string values.
  * This function should be efficient on statements with many strings to be escaped. */
 {
 va_list orig_args;
 va_copy(orig_args, args);
 int formatLen = strlen(format);
 
 char escPunc = 0x01;  // using char 1 as special char to denote strings needing escaping
-//char escPunc = '`';  // DEBUG REMOVE
 char *newFormat = NULL;
 int newFormatSize = 2*formatLen + 1;
 if (newString)
     newFormatSize += strlen("NOSQLINJ ");
 newFormat = needMem(newFormatSize);
 char *nf = newFormat;
 if (newString)
     nf += safef(newFormat, newFormatSize, "%s", "NOSQLINJ ");
 char *lastPct = NULL;
 int escStringsCount = 0;
 int escStringsSize = 0;
 
 char c = 0;
 int i = 0;
 char quote = 0;
@@ -3157,35 +3162,35 @@
 		    if (!isNegated) // Not a Pre-escaped String
 			{
 			// go back and insert escPunc before the leading % char saved in lastPct
 			// move the accumulated %s descriptor
 			memmove(lastPct+1, lastPct, nf - lastPct); // this is typically very small, src and dest overlap.
 			++nf;
 			*lastPct  = escPunc;
 			*nf++ = escPunc;
 			++escStringsCount;
 			if (s == NULL)
 			    {
 			    escStringsSize += strlen("(null)");
 			    }
 			else
 			    {
-			    escStringsSize += strlen(s);  // TODO do we need this variable?
+			    escStringsSize += strlen(s);
 			    // DEBUG temporary check for signs of double-escaping, can remove later for a minor speedup:
-			    //if (strstr(s, "\\\\\\\\"))  // this is really 4 backslashes
 			    if (strstr(s, "\\\\"))  // this is really 2 backslashes
 				{
+				if (sameOk(cfgOption("noSqlInj.dumpStack"), "on"))
 				    dumpStack("potential sign of double sql-escaping in string [%s]", s);
 				}
 			    }
 			}
 		    }
 		}
 	    else
 		{
 		errAbort("unexpected error processing vaSqlSafef, format: %s", format);
 		}		
 
 	    isLong = FALSE;
 	    isLongLong = FALSE;
 	    isNegated = FALSE;
 	    }