3247510dde097fab841ab57d3a1fb34fbff8d69e
galt
  Fri Dec 7 19:51:05 2018 -0800
Blank identifiers should not be allowed as parameters in SQL statements in unquoted %s format strings. refs #22596

diff --git src/hg/lib/jksql.c src/hg/lib/jksql.c
index 52283a6..7991872 100644
--- src/hg/lib/jksql.c
+++ src/hg/lib/jksql.c
@@ -3730,30 +3730,34 @@
 
 char *sqlCheckIdentifier(char *identifier)
 /* Check that only valid identifier characters are used */
 {
 static boolean init = FALSE;
 static char allowed[256];
 if (!init)
     {
     sqlCheckDisallowAllChars(allowed);
     sqlCheckAllowAlphaNumChars(allowed);
     sqlCheckAllowChar('.', allowed);
     sqlCheckAllowChar('_', allowed);
     // NOTE it is important for security that no other characters be allowed here
     init = TRUE;
     }
+if (identifier[0] == 0) // empty string not allowed since this is usually caused by an error.
+    {
+    sqlCheckError("Illegal empty string identifier not allowed.");
+    }
 if (!sqlCheckAllowedChars(identifier, allowed))
     {
     sqlCheckError("Illegal character found in identifier %s", identifier);
     }
 return identifier;
 }
 
 
 
 /* --------------------------- */
 
 int sqlEscapeAllStrings(char *buffer, char *s, int bufSize, char escPunc)
 /* Escape all strings demarked by escPunc char. *
  * Returns final size not including terminating 0. 
  * User needs to pre-allocate enough space that mysql_escape will never run out of space.