b8fd0b0fa23324dcb600302cc2ce42e6a88d46e9
galt
  Wed Mar 2 18:33:03 2022 -0800
Fixing sql injection bug with sqlSafeFrag. Reported by NetSparker scan.

diff --git src/hg/hgGtexTrackSettings/hgGtexTrackSettings.c src/hg/hgGtexTrackSettings/hgGtexTrackSettings.c
index 6a79f6c..f73f1e7 100644
--- src/hg/hgGtexTrackSettings/hgGtexTrackSettings.c
+++ src/hg/hgGtexTrackSettings/hgGtexTrackSettings.c
@@ -401,41 +401,41 @@
 "    <div class='row gbTrackDescriptionPanel'>\n"
 "       <div class='gbTrackDescription'>\n");
 puts(tdb->html);
 puts(
 "       </div>\n"
 "   </div>\n");
 }
 
 static struct trackDb *getTrackDb(char *db, char *track)
 /* Check if this is an assembly with GTEx track and get trackDb */
 {
 struct sqlConnection *conn = sqlConnect(db);
 if (conn == NULL)
     errAbort("Can't connect to database %s\n", db);
 char where[256];
-safef(where, sizeof(where), "tableName='%s'", track);
+sqlSafefFrag(where, sizeof(where), "tableName='%s'", track);
 // WARNING: this will break in sandboxes unless trackDb entry is pushed to hgwdev.
 // The fix of using hTrackDbList() would slow for all users, so leaving as is.
 #define TRACKDB "trackDb"
 struct trackDb *tdb = trackDbLoadWhere(conn, TRACKDB, where);
 trackDbAddTableField(tdb);
 char *parent = trackDbLocalSetting(tdb, "parent");
 struct trackDb *parentTdb;
 if (parent)
     {
-    safef(where, sizeof(where), "tableName='%s'", parent);
+    sqlSafefFrag(where, sizeof(where), "tableName='%s'", parent);
     parentTdb = trackDbLoadWhere(conn, TRACKDB, where);
     if (parentTdb)
         tdb->parent = parentTdb;
     }
 sqlDisconnect(&conn);
 return tdb;
 }
 
 static void doMiddle(struct cart *theCart)
 /* Send HTML with javascript to display the user interface. */
 {
 cart = theCart;
 char *db = NULL, *genome = NULL, *clade = NULL;
 getDbGenomeClade(cart, &db, &genome, &clade, oldVars);
 database = db;