src/hg/hgc/pubs.c d72c06628ce3c8a977c5eec289b6e8c7fc2cc5e3

d72c06628ce3c8a977c5eec289b6e8c7fc2cc5e3
galt
  Fri May 27 16:36:45 2022 -0700
oops minor NOSQLINJv2 fix for pubs.c, I missed proper initialization of artFilterSql should have been sqlSafef(artFilterSql, sizeof(artFilterSql), "%s", ""); Revamped to be better and simpler with dyString. refs #29274

diff --git src/hg/hgc/pubs.c src/hg/hgc/pubs.c
index a8668d6..77a4d6f 100644
--- src/hg/hgc/pubs.c
+++ src/hg/hgc/pubs.c
@@ -288,55 +288,57 @@
     }
 
 if (found==0)
     errAbort("You need to specify at least one article section.");
 
 return dyStringCannibalize(&dy);
 }
 
 
 static struct sqlResult *queryMarkerRows(struct sqlConnection *conn, char *markerTable, \
     char *articleTable, char *item, int itemLimit, char *sectionList, char *artExtIdFilter)
 /* query marker rows from mysql, based on http parameters  
  * optionally filter on sections or just a single article
  * */
 {
-char query[4000];
 /* Mysql specific setting to make the group_concat function return longer strings */
 //sqlSafef(query, sizeof query, "SET SESSION group_concat_max_len = 100000");
 //sqlUpdate(conn, query);
  
-char artFilterSql[4000];
-artFilterSql[0] = 0;
-if (isNotEmpty(artExtIdFilter))
-    sqlSafef(artFilterSql, sizeof(artFilterSql), " AND extId='%s' ", artExtIdFilter);
+struct dyString *query = dyStringNew(4000);
 
 // no need to check for illegal characters in sectionList
-sqlSafef(query, sizeof(query), "SELECT distinct %s.articleId, url, title, authors, citation, year, "  
+sqlDyStringPrintf(query, "SELECT distinct %s.articleId, url, title, authors, citation, year, "  
     "pmid FROM %s "
     //"group_concat(snippet, concat(\" (section: \", section, \")\") SEPARATOR ' (...) ') FROM %s "
     "JOIN %s USING (articleId) "
-    "WHERE markerId='%s' AND section in (%-s) "
-    "%-s"
+    "WHERE markerId='%s' AND section in (%-s) ",
+    markerTable, markerTable, articleTable, item, sectionList);
+
+if (isNotEmpty(artExtIdFilter))
+    sqlDyStringPrintf(query, " AND extId='%s' ", artExtIdFilter);
+
+sqlDyStringPrintf(query,
     //"GROUP by articleId "
     "ORDER BY year DESC "
     "LIMIT %d", 
-    markerTable, markerTable, articleTable, item, sectionList, artFilterSql, itemLimit);
+     itemLimit);
 
-    printDebug(query);
+    printDebug(dyStringContents(query));
 
-struct sqlResult *sr = sqlGetResult(conn, query);
+struct sqlResult *sr = sqlGetResult(conn, dyStringContents(query));
+dyStringFree(&query);
 
 return sr;
 }
 
 static struct sqlResult *querySnippets(struct sqlConnection *conn, char *markerTable, \
     char *articleId, char *markerId, char *sectionList)
 /* query marker snippet rows from mysql for an article, markerId combination */
 {
 char query[4000];
 sqlSafef(query, sizeof(query), "SELECT section, snippet FROM %s "  
     "WHERE articleId=%s AND markerId='%s' AND section in (%-s) ", 
     markerTable, articleId, markerId, sectionList);
 struct sqlResult *sr = sqlGetResult(conn, query);
 return sr;
 }