CalvinBackup/erpnext
1
0
Fork 0
mirror of https://github.com/frappe/erpnext.git synced 2026-02-13 17:53:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #20442 from fproldan/fix_sqlinjection_hotfix_v11

Browse Source 
fix: SQL Injection in get_product_list_for_group method
This commit is contained in:
Deepesh Garg
2020-01-28 09:17:39 +05:30
committed by GitHub
parent 8a5f31da34 af79714f40
commit 41d2357dc4
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
erpnext/setup/doctype/item_group/item_group.py
View File

@@ -109,7 +109,7 @@ def get_product_list_for_group(product_group=None, start=0, limit=10, search=Non
or I.name like %(search)s)"""
search = "%" + cstr(search) + "%"
query += """order by I.weightage desc, in_stock desc, I.modified desc limit %s, %s""" % (start, limit)
query += """order by I.weightage desc, in_stock desc, I.modified desc limit %s, %s""" % (cint(start), cint(limit))
data = frappe.db.sql(query, {"product_group": product_group,"search": search, "today": nowdate()}, as_dict=1)
data = adjust_qty_for_expired_items(data)