c98ab6c8d2b3a44f447f3f6847129b9840c1749d
galt
  Fri May 13 01:39:42 2022 -0700
Fixing #filter in hgTables/joining.c for improved SQL Injection protections. refs #29274

diff --git src/hg/hgTables/hgTables.c src/hg/hgTables/hgTables.c
index 60071c9..a9d79f5 100644
--- src/hg/hgTables/hgTables.c
+++ src/hg/hgTables/hgTables.c
@@ -1064,31 +1064,31 @@
     int colIx, lastCol = fieldCount-1;
     char *filter = filterClause(dbVarName, tableVarName, region->chrom, identifierFilter);
 
     sr = regionQuery(conn, table, fieldSpec->string,
             region, isPositional, filter);
     if (sr == NULL)
         continue;
 
     /* First time through print column names. */
     if (! printedColumns)
         {
         // Show only the SQL filter built from filter page options, not identifierFilter,
         // because identifierFilter can get enormous (like 126kB for 12,500 rsIDs).
         char *filterNoIds = filterClause(dbVarName, tableVarName, region->chrom, NULL);
         if (filterNoIds != NULL)
-            hOrFPrintf(f, "#filter: %s\n", filterNoIds);
+            hOrFPrintf(f, "#filter: %s\n", filterNoIds+NOSQLINJ_SIZE);
         hOrFPrintf(f, "#");
         if (showItemRgb)
             {
             itemRgbCol = itemRgbHeader(f, sr, lastCol);
             if (itemRgbCol == -1)
                 showItemRgb = FALSE;        /*  did not find "reserved" */
             }
         else
             {
             for (colIx = 0; colIx < lastCol; ++colIx)
                 {
                 if (outSep == ',') hOrFPrintf(f, "\"");
                 hOrFPrintf(f, "%s", sqlFieldName(sr));
                 if (outSep == ',') hOrFPrintf(f, "\"");
                 hOrFPrintf(f, "%c", outSep);