0f8172b899832fbc341e973de7f0addabb25337c
galt
  Sat May 28 16:15:15 2022 -0700
fixing SQL free-form query for NOSQLINJv2 in hgTables and tablesTables. also did some security testing on the SQL Sanity routine, and found no problems. refs #29274

diff --git src/hg/lib/tablesTables.c src/hg/lib/tablesTables.c
index 5bca118..53e7df3 100644
--- src/hg/lib/tablesTables.c
+++ src/hg/lib/tablesTables.c
@@ -816,31 +816,40 @@
     struct dyString **retQuery, struct dyString **retWhere)
 /* Construct select, from and where clauses in query, keeping an additional copy of where 
  * Returns the SQL query and the SQL where expression as two dyStrings (need to be freed)  */
 {
 struct dyString *query = dyStringNew(0);
 struct dyString *where = dyStringNew(0);
 struct slName *field, *fieldList = commaSepToSlNames(fields);
 boolean gotWhere = FALSE;
 sqlCkIl(fieldsSafe,fields)
 sqlCkIl(fromSafe,from)
 
 sqlDyStringPrintf(query, "select %-s from %-s", fieldsSafe, fromSafe);
 if (!isEmpty(initialWhere))
     {
     sqlDyStringPrintf(where, " where ");
-    sqlSanityCheckWhere(initialWhere, where);
+
+    struct dyString *dyTemp = dyStringNew(0);
+    sqlSanityCheckWhere(initialWhere, dyTemp);
+
+    char trustedBuf[dyTemp->stringSize+NOSQLINJ_SIZE+1];
+    safef(trustedBuf, sizeof trustedBuf, NOSQLINJ "%s", dyTemp->string);  // TRUST
+
+    sqlDyStringPrintf(where, "%-s", trustedBuf);
+    dyStringFree(&dyTemp);
+
     gotWhere = TRUE;
     }
 
 /* If we're doing filters, have to loop through the row of filter controls */
 if (withFilters)
     {
     for (field = fieldList; field != NULL; field = field->next)
         {
 	char varName[128];
 	safef(varName, sizeof(varName), "%s_f_%s", varPrefix, field->name);
 	char *val = trimSpaces(cartUsualString(cart, varName, ""));
 	if (!isEmpty(val))
 	    {
 	    if (gotWhere)
 		sqlDyStringPrintf(where, " and ");