5b8c4168d4807c729fc8b1f199d9eb03c9411069 galt Thu Mar 3 18:40:54 2016 -0800 Replacing simple literal NOSQLINJ in string with the #define NOSQLINJ. This is slightly better because the compiler can catch a mis-spelling of the NOSQLINJ keyword. This was suggested by Angie. diff --git src/hg/lib/jksql.c src/hg/lib/jksql.c index 62b6741..269c6ce 100644 --- src/hg/lib/jksql.c +++ src/hg/lib/jksql.c @@ -899,33 +899,33 @@ while ((row = sqlNextRow(sr)) != NULL) { el = slNameNew(row[0]); slAddHead(&list, el); } slReverse(&list); sqlFreeResult(&sr); return list; } static struct slName *sqlListTablesForConn(struct sqlConnection *conn, char *likeExpr) /* run SHOW TABLES on connection and return a slName list */ { char query[256]; if (likeExpr == NULL) - safef(query, sizeof(query), "NOSQLINJ SHOW TABLES"); + safef(query, sizeof(query), NOSQLINJ "SHOW TABLES"); else - safef(query, sizeof(query), "NOSQLINJ SHOW TABLES %s", likeExpr); + safef(query, sizeof(query), NOSQLINJ "SHOW TABLES %s", likeExpr); struct slName *list = NULL, *el; struct sqlResult *sr; char **row; sr = sqlGetResult(conn, query); while ((row = sqlNextRow(sr)) != NULL) { el = slNameNew(row[0]); slAddHead(&list, el); } slReverse(&list); sqlFreeResult(&sr); return list; } @@ -1386,44 +1386,44 @@ * but mysql_store_result has left a big footprint in the code/comments. * In particular, mysql_store_result can return NULL indicating an empty resultset. * But mysql_use_result cannot do that. Instead NULL return means error * and the user must call next_row to see if there's anything in the resultset. */ { struct sqlResult *res = NULL; long deltaTime; boolean fixedMultipleNOSQLINJ = FALSE; ++sqlTotalQueries; if (monitorFlags & JKSQL_TRACE) monitorPrintQuery(sc, query); -if (startsWith("NOSQLINJ ", query)) +if (startsWith(NOSQLINJ "", query)) { - query += strlen("NOSQLINJ "); // We know this query has been vetted for sql injection, skip over this tag. + query += strlen(NOSQLINJ ""); // We know this query has been vetted for sql injection, skip over this tag. } else { sqlCheckError("Unvetted query: %s", query); } // additional check finds errors of multiple NOSQLINJ tags -if (strstr(query, "NOSQLINJ ")) +if (strstr(query, NOSQLINJ "")) { sqlCheckError("Oops, multiple occurrences of NOSQLINJ tag in query: %s", query); - query = replaceChars(query, "NOSQLINJ ", ""); + query = replaceChars(query, NOSQLINJ "", ""); fixedMultipleNOSQLINJ = TRUE; } if (sqlConnMustUseFailover(sc)) sc = sc->failoverConn; sqlConnectIfUnconnected(sc, abort); assert(!sc->isFree); monitorEnter(); int mysqlError = mysql_real_query(sc->conn, query, strlen(query)); // if the query fails on the main connection, connect the failover connection and try there if (mysqlError != 0 && sc->failoverConn && sameWord(sqlGetDatabase(sc), sqlGetDatabase(sc->failoverConn))) { @@ -3749,35 +3749,35 @@ int vaSqlSafefNoAbort(char* buffer, int bufSize, boolean newString, char *format, va_list args) /* VarArgs Format string to buffer, vsprintf style, only with buffer overflow * checking. The resulting string is always terminated with zero byte. * Scans string parameters for illegal sql chars. * Automatically escapes quoted string values. * This function should be efficient on statements with many strings to be escaped. */ { va_list orig_args; va_copy(orig_args, args); int formatLen = strlen(format); char escPunc = 0x01; // using char 1 as special char to denote strings needing escaping char *newFormat = NULL; int newFormatSize = 2*formatLen + 1; if (newString) - newFormatSize += strlen("NOSQLINJ "); + newFormatSize += strlen(NOSQLINJ ""); newFormat = needMem(newFormatSize); char *nf = newFormat; if (newString) - nf += safef(newFormat, newFormatSize, "%s", "NOSQLINJ "); + nf += safef(newFormat, newFormatSize, "%s", NOSQLINJ ""); char *lastPct = NULL; int escStringsCount = 0; int escStringsSize = 0; char c = 0; int i = 0; char quote = 0; boolean inPct = FALSE; boolean isLong = FALSE; boolean isLongLong = FALSE; boolean isNegated = FALSE; while (i < formatLen) { c = format[i]; *nf++ = c; @@ -4090,31 +4090,31 @@ * the entire sql string. */ { va_list args; va_start(args, format); vaSqlDyStringPrintfFrag(ds, format, args); va_end(args); } void sqlDyStringAppend(struct dyString *ds, char *string) /* Append zero terminated string to end of dyString. * Adds the NOSQLINJ prefix if dy string is empty. */ { if (ds->stringSize == 0) - dyStringAppend(ds, "NOSQLINJ "); + dyStringAppend(ds, NOSQLINJ ""); dyStringAppendN(ds, string, strlen(string)); } struct dyString *sqlDyStringCreate(char *format, ...) /* Create a dyString with a printf style initial content * Adds the NOSQLINJ prefix. */ { int len = strlen(format) * 3; struct dyString *ds = newDyString(len); va_list args; va_start(args, format); vaSqlDyStringPrintf(ds, format, args); va_end(args); return ds;