src/hg/lib/jksql.c 061bcb3ed7232ceb6438b2b583f1a6d8c535d5fb

061bcb3ed7232ceb6438b2b583f1a6d8c535d5fb
galt
  Wed Feb 14 15:55:33 2018 -0800
Fixing sql injection issues with sqlTableLike functions in jksql.c and places that use it.

diff --git src/hg/lib/jksql.c src/hg/lib/jksql.c
index cf585bc..8b1d381 100644
--- src/hg/lib/jksql.c
+++ src/hg/lib/jksql.c
@@ -889,53 +889,53 @@
 
 static struct slName *sqlTableCacheQuery(struct sqlConnection *conn, char *likeExpr)
 /* This function queries the tableCache table. It is used by the sqlTableList 
  * function, so it doe not have to connect to the main sql server just to get a list of table names.
  * Returns all table names from the table name cache as a list. 
  * Can optionally filter with a likeExpr e.g. "LIKE snp%". */
 {
 char *tableList = cfgVal("showTableCache");
 struct slName *list = NULL, *el;
 char query[1024];
 // mysql SHOW TABLES is sorted alphabetically by default
 if (likeExpr==NULL)
     sqlSafef(query, sizeof(query), "SELECT DISTINCT tableName FROM %s ORDER BY tableName", tableList);
 else
     sqlSafef(query, sizeof(query), 
-        "SELECT DISTINCT tableName FROM %s WHERE tableName %s ORDER BY tableName", tableList, likeExpr);
+        "SELECT DISTINCT tableName FROM %s WHERE tableName LIKE '%s' ORDER BY tableName", tableList, likeExpr);
 
 struct sqlResult *sr = sqlGetResult(conn, query);
 char **row;
 while ((row = sqlNextRow(sr)) != NULL)
     {
     el = slNameNew(row[0]);
     slAddHead(&list, el);
     }
 slReverse(&list);
 sqlFreeResult(&sr);
 return list;
 }
 
 static struct slName *sqlListTablesForConn(struct sqlConnection *conn, char *likeExpr)
 /* run SHOW TABLES on connection and return a slName list.  LIKE expression
  * can be NULL or string e.g. "LIKE 'snp%'" */
 {
 char query[256];
 if (likeExpr == NULL)
     safef(query, sizeof(query), NOSQLINJ "SHOW TABLES");
 else
-    safef(query, sizeof(query), NOSQLINJ "SHOW TABLES %s", likeExpr);
+    safef(query, sizeof(query), NOSQLINJ "SHOW TABLES LIKE '%s'", likeExpr);
 
 struct slName *list = NULL, *el;
 
 struct sqlResult *sr;
 char **row;
 sr = sqlGetResult(conn, query);
 while ((row = sqlNextRow(sr)) != NULL)
     {
     el = slNameNew(row[0]);
     slAddHead(&list, el);
     }
 slReverse(&list);
 sqlFreeResult(&sr);
 return list;
 }