a3b2294493e8cd9cd4721072fcd3f3919b482ec6
galt
  Mon Jan 29 01:44:07 2018 -0800
making safer sql query strings.

diff --git src/hg/lib/facetField.c src/hg/lib/facetField.c
index 8b0f293..28fd432 100644
--- src/hg/lib/facetField.c
+++ src/hg/lib/facetField.c
@@ -45,36 +45,36 @@
 facetField->fieldName = cloneString(fieldName);
 facetField->valHash = hashNew(0);
 return facetField;
 }
 
 struct facetField *facetFieldsFromSqlTable(struct sqlConnection *conn, char *table, char *fields[], int fieldCount, 
     char *nullVal, char *where)
 /* Return a list of facetField, one for each field of given table */
 {
 /* Make query string */
 struct dyString *query = dyStringNew(0);
 sqlDyStringPrintf(query, "select %s", fields[0]);
 int i;
 for (i=1; i<fieldCount; ++i)
     {
-    dyStringAppendC(query, ',');
-    dyStringAppend(query, fields[i]);
+    sqlDyStringPrintf(query, ",");
+    sqlDyStringPrintf(query, "%s", fields[i]);
     }
-dyStringPrintf(query, " from %s", table);
+sqlDyStringPrintf(query, " from %s", table);
 if (where != NULL)
-    dyStringPrintf(query, " where %s", where);
+    sqlDyStringPrintf(query, " where %-s", where); // trusting where-clause
 
 /* Create facetField list and table. */
 struct facetField *ffArray[fieldCount], *ffList = NULL, *ff;
 for (i=0; i<fieldCount; ++i)
     {
     ff = ffArray[i] = facetFieldNew(fields[i]);
     slAddHead(&ffList, ff);
     }
 slReverse(&ffList);
 
 /* Scan through result saving it in list. */
 struct sqlResult *sr = sqlGetResult(conn, query->string);
 char **row;
 while ((row = sqlNextRow(sr)) != NULL)
     {