f20cd920ff7ce99900b2f8350ca4b30948d47af2
galt
  Wed Jul 22 11:36:29 2015 -0700
Fixes RM#15751. Fixes a minor problem with sql string escaping. Also added a new function sqlSafefAppend because it use handy when you need to safely append a little formatted string, but you do not want to be bothered with using dyStrings.

diff --git src/hg/lib/hgFind.c src/hg/lib/hgFind.c
index c8063fd..8262ad1 100644
--- src/hg/lib/hgFind.c
+++ src/hg/lib/hgFind.c
@@ -584,31 +584,31 @@
  * and pos, used by addKnownGeneItems */
     {
     struct tsrPos *next;	/* Next in list. */
     struct trixSearchResult *tsr;	/* Basically a gene symbol */
     struct hgPos *posList;		/* Associated list of positions. */
     };
 
 static boolean isCanonical(struct sqlConnection *conn, char *geneName)
 /* Look for the name in knownCannonical, return true if found */
 {
 boolean foundIt = FALSE;
 if (sqlTableExists(conn, "knownCanonical"))
     {
     char query[512];
     sqlSafef(query, sizeof(query), "select transcript from knownCanonical"
-	  " where '%s' = transcript;", geneName);
+	  " where transcript = '%s'", geneName);
     struct sqlResult *sr = sqlGetResult(conn, query);
     char **row;
     if ((row = sqlNextRow(sr)) != NULL)
 	{
 	foundIt = TRUE;
 	}
     sqlFreeResult(&sr);
     }
 return foundIt;
 }
 
 
 static int hgPosCmpCanonical(const void *vhg1, const void *vhg2)
 // Compares two hgPos structs and returns an integer
 {
@@ -1566,38 +1566,36 @@
     /* I'm doing this query in two steps in C rather than
      * in one step in SQL just because it somehow is much
      * faster this way (like 100x faster) when using mySQL. */
     field = tables[i];
     if (!hTableExists(db, field))
 	continue;
     if ((grepIndexFile = getGenbankGrepIndex(db, hfs, field, "idName")) != NULL)
 	idList = genbankGrepQuery(grepIndexFile, field, key);
     else
         idList = genbankSqlFuzzyQuery(conn, field, key, limitResults);
     for (idEl = idList;
          idEl != NULL && (limitResults == EXHAUSTIVE_SEARCH_REQUIRED || rowCount < limitResults);
          idEl = idEl->next)
         {
         /* don't check srcDb to exclude refseq for compat with older tables */
-        if (limitResults == EXHAUSTIVE_SEARCH_REQUIRED)
 	sqlSafef(query, sizeof(query),
-                  "select acc, organism from gbCdnaInfo where %s = %s "
+	      "select acc, organism from gbCdnaInfo where %s = '%s' "
 	      " and type = 'mRNA'", field, idEl->name);
-        else // limit results to avoid CGI timeouts (#11626).
-            sqlSafef(query, sizeof(query),
-                  "select acc, organism from gbCdnaInfo where %s = %s "
-                  " and type = 'mRNA' limit %d", field, idEl->name, limitResults);
+        // limit results to avoid CGI timeouts (#11626).
+        if (limitResults != EXHAUSTIVE_SEARCH_REQUIRED)
+            sqlSafefAppend(query, sizeof(query), " limit %d", limitResults);
 	sr = sqlGetResult(conn, query);
 	while ((row = sqlNextRow(sr)) != NULL)
 	    {
 	    char *acc = row[0];
             /* will use this later to distinguish xeno mrna */
 	    int organismID = sqlUnsigned(row[1]);
 	    if (!isRefSeqAcc(acc) && !hashLookup(hash, acc))
 		{
 		el = newSlName(acc);
                 slAddHead(&list, el);
                 hashAddInt(hash, acc, organismID);
                 // limit results to avoid CGI timeouts (#11626).
                 if (rowCount++ > limitResults && limitResults != EXHAUSTIVE_SEARCH_REQUIRED)
                     break;
 		}
@@ -2117,35 +2115,35 @@
 (void) chopPrefix(specNoVersion);
 if (gotRefLink)
     {
     if (startsWith("NM_", specNoVersion) || startsWith("NR_", specNoVersion) || startsWith("XM_", specNoVersion))
 	{
 	sqlDyStringPrintf(ds, "select * from refLink where mrnaAcc = '%s'", specNoVersion);
 	addRefLinks(conn, ds, &rlList);
 	}
     else if (startsWith("NP_", specNoVersion) || startsWith("XP_", specNoVersion))
         {
 	sqlDyStringPrintf(ds, "select * from refLink where protAcc = '%s'", specNoVersion);
 	addRefLinks(conn, ds, &rlList);
 	}
     else if (isUnsignedInt(specNoVersion))
         {
-	sqlDyStringPrintf(ds, "select * from refLink where locusLinkId = %s",
+	sqlDyStringPrintf(ds, "select * from refLink where locusLinkId = '%s'",
 		       specNoVersion);
 	addRefLinks(conn, ds, &rlList);
 	dyStringClear(ds);
-	sqlDyStringPrintf(ds, "select * from refLink where omimId = %s", specNoVersion);
+	sqlDyStringPrintf(ds, "select * from refLink where omimId = '%s'", specNoVersion);
 	addRefLinks(conn, ds, &rlList);
 	}
     else 
 	{
 	char *indexFile = getGenbankGrepIndex(db, hfs, "refLink", "mrnaAccProduct");
 	sqlDyStringPrintf(ds, "select * from refLink where name like '%s%%'",
 		       specNoVersion);
 	addRefLinks(conn, ds, &rlList);
 	if (indexFile != NULL)
 	    {
 	    struct slName *accList = doGrepQuery(indexFile, "refLink", specNoVersion,
 						 NULL);
 	    addRefLinkAccs(conn, accList, &rlList);
 	    }
 	else