061bcb3ed7232ceb6438b2b583f1a6d8c535d5fb
galt
  Wed Feb 14 15:55:33 2018 -0800
Fixing sql injection issues with sqlTableLike functions in jksql.c and places that use it.

diff --git src/hg/lib/hdb.c src/hg/lib/hdb.c
index 4206104..1d250ea 100644
--- src/hg/lib/hdb.c
+++ src/hg/lib/hdb.c
@@ -5538,31 +5538,31 @@
 }
 
 char *bbiNameFromSettingOrTable(struct trackDb *tdb, struct sqlConnection *conn, char *table)
 /* Return file name from bigDataUrl or little table. */
 {
 return bbiNameFromSettingOrTableChrom(tdb, conn, table, NULL);
 }
 
 static struct slName *hListSnpNNNTables(struct sqlConnection *conn, char *suffix)
 /* Return a list of 'snpNNN<suffix>' tables, if any, in reverse 'SHOW TABLES' order
  * (highest first).  If there are none and suffix is NULL/empty but conn has a table 'snp',
  * return that as a fallback for older databases like hg16.
  * suffix may be NULL to get the 'All SNPs' table (as opposed to Common, Flagged, Mult). */
 {
 char likeExpr[64];
-safef(likeExpr, sizeof(likeExpr), "LIKE 'snp___%s'", suffix ? suffix : "");
+safef(likeExpr, sizeof(likeExpr), "snp___%s", suffix ? suffix : "");
 struct slName *snpNNNTables = sqlListTablesLike(conn, likeExpr);
 slReverse(&snpNNNTables);
 // Trim non-snpNNN tables e.g. snpSeq in hg17, hg18:
 while (snpNNNTables && !isdigit(snpNNNTables->name[3]))
     snpNNNTables = snpNNNTables->next;
 // hg16 has only "snp":
 if (snpNNNTables == NULL && isEmpty(suffix) && sqlTableExists(conn, "snp"))
     snpNNNTables = slNameNew("snp");
 return snpNNNTables;
 }
 
 char *hFindLatestSnpTableConn(struct sqlConnection *conn, char *suffix)
 /* Return the name of the 'snpNNN<suffix>' table with the highest build number, if any.
  * suffix may be NULL to get the 'All SNPs' table (as opposed to Common, Flagged, Mult). */
 {