5b8c4168d4807c729fc8b1f199d9eb03c9411069
galt
  Thu Mar 3 18:40:54 2016 -0800
Replacing simple literal NOSQLINJ in string with the #define NOSQLINJ. This is slightly better because the compiler can catch a mis-spelling of the NOSQLINJ keyword. This was suggested by Angie.

diff --git src/hg/lib/jksql.c src/hg/lib/jksql.c
index 62b6741..269c6ce 100644
--- src/hg/lib/jksql.c
+++ src/hg/lib/jksql.c
@@ -899,33 +899,33 @@
 while ((row = sqlNextRow(sr)) != NULL)
     {
     el = slNameNew(row[0]);
     slAddHead(&list, el);
     }
 slReverse(&list);
 sqlFreeResult(&sr);
 return list;
 }
 
 static struct slName *sqlListTablesForConn(struct sqlConnection *conn, char *likeExpr)
 /* run SHOW TABLES on connection and return a slName list */
 {
 char query[256];
 if (likeExpr == NULL)
-    safef(query, sizeof(query), "NOSQLINJ SHOW TABLES");
+    safef(query, sizeof(query), NOSQLINJ "SHOW TABLES");
 else
-    safef(query, sizeof(query), "NOSQLINJ SHOW TABLES %s", likeExpr);
+    safef(query, sizeof(query), NOSQLINJ "SHOW TABLES %s", likeExpr);
 
 struct slName *list = NULL, *el;
 
 struct sqlResult *sr;
 char **row;
 sr = sqlGetResult(conn, query);
 while ((row = sqlNextRow(sr)) != NULL)
     {
     el = slNameNew(row[0]);
     slAddHead(&list, el);
     }
 slReverse(&list);
 sqlFreeResult(&sr);
 return list;
 }
@@ -1386,44 +1386,44 @@
  * but mysql_store_result has left a big footprint in the code/comments.
  * In particular, mysql_store_result can return NULL indicating an empty resultset.
  * But mysql_use_result cannot do that. Instead NULL return means error
  * and the user must call next_row to see if there's anything in the resultset.
  */
 {
 struct sqlResult *res = NULL;
 long deltaTime;
 boolean fixedMultipleNOSQLINJ = FALSE;
 
 ++sqlTotalQueries;
 
 if (monitorFlags & JKSQL_TRACE)
     monitorPrintQuery(sc, query);
 
-if (startsWith("NOSQLINJ ", query))
+if (startsWith(NOSQLINJ "", query))
     {
-    query += strlen("NOSQLINJ "); // We know this query has been vetted for sql injection, skip over this tag.
+    query += strlen(NOSQLINJ ""); // We know this query has been vetted for sql injection, skip over this tag.
     }
 else
     {
     sqlCheckError("Unvetted query: %s", query);
     }
 
 // additional check finds errors of multiple NOSQLINJ tags
-if (strstr(query, "NOSQLINJ "))
+if (strstr(query, NOSQLINJ ""))
     {
     sqlCheckError("Oops, multiple occurrences of NOSQLINJ tag in query: %s", query);
-    query = replaceChars(query, "NOSQLINJ ", "");
+    query = replaceChars(query, NOSQLINJ "", "");
     fixedMultipleNOSQLINJ = TRUE;
     }
 
 if (sqlConnMustUseFailover(sc))
     sc = sc->failoverConn;
 
 sqlConnectIfUnconnected(sc, abort);
 assert(!sc->isFree);
 
 monitorEnter();
 int mysqlError = mysql_real_query(sc->conn, query, strlen(query));
 
 // if the query fails on the main connection, connect the failover connection and try there
 if (mysqlError != 0 && sc->failoverConn && sameWord(sqlGetDatabase(sc), sqlGetDatabase(sc->failoverConn)))
     {
@@ -3749,35 +3749,35 @@
 int vaSqlSafefNoAbort(char* buffer, int bufSize, boolean newString, char *format, va_list args)
 /* VarArgs Format string to buffer, vsprintf style, only with buffer overflow
  * checking.  The resulting string is always terminated with zero byte.
  * Scans string parameters for illegal sql chars. 
  * Automatically escapes quoted string values.
  * This function should be efficient on statements with many strings to be escaped. */
 {
 va_list orig_args;
 va_copy(orig_args, args);
 int formatLen = strlen(format);
 
 char escPunc = 0x01;  // using char 1 as special char to denote strings needing escaping
 char *newFormat = NULL;
 int newFormatSize = 2*formatLen + 1;
 if (newString)
-    newFormatSize += strlen("NOSQLINJ ");
+    newFormatSize += strlen(NOSQLINJ "");
 newFormat = needMem(newFormatSize);
 char *nf = newFormat;
 if (newString)
-    nf += safef(newFormat, newFormatSize, "%s", "NOSQLINJ ");
+    nf += safef(newFormat, newFormatSize, "%s", NOSQLINJ "");
 char *lastPct = NULL;
 int escStringsCount = 0;
 int escStringsSize = 0;
 
 char c = 0;
 int i = 0;
 char quote = 0;
 boolean inPct = FALSE;
 boolean isLong = FALSE;
 boolean isLongLong = FALSE;
 boolean isNegated = FALSE;
 while (i < formatLen)
     {
     c = format[i];
     *nf++ = c;
@@ -4090,31 +4090,31 @@
  * the entire sql string. */
 
 {
 va_list args;
 va_start(args, format);
 vaSqlDyStringPrintfFrag(ds, format, args);
 va_end(args);
 }
 
 
 void sqlDyStringAppend(struct dyString *ds, char *string)
 /* Append zero terminated string to end of dyString.
  * Adds the NOSQLINJ prefix if dy string is empty. */
 {
 if (ds->stringSize == 0)
-    dyStringAppend(ds, "NOSQLINJ ");
+    dyStringAppend(ds, NOSQLINJ "");
 dyStringAppendN(ds, string, strlen(string));
 }
 
 
 struct dyString *sqlDyStringCreate(char *format, ...)
 /* Create a dyString with a printf style initial content 
  * Adds the NOSQLINJ prefix. */
 {
 int len = strlen(format) * 3;
 struct dyString *ds = newDyString(len);
 va_list args;
 va_start(args, format);
 vaSqlDyStringPrintf(ds, format, args);
 va_end(args);
 return ds;