[fix] injection

erpnext/accounts/page/accounts_browser/accounts_browser.py

@@ -25,9 +25,9 @@ def get_children():
 		acc = frappe.db.sql(""" select
 			name as value, if(group_or_ledger='Group', 1, 0) as expandable %s
 			from `tab%s`
-			where ifnull(parent_%s,'') = ''
+			where ifnull(`parent_%s`,'') = ''
 			and `company` = %s	and docstatus<2
-			order by name""" % (select_cond, ctype, ctype.lower().replace(' ','_'), '%s'),
+			order by name""" % (select_cond, frappe.db.escape(ctype), frappe.db.escape(ctype.lower().replace(' ','_')), '%s'),
 				company, as_dict=1)
 
 		if args["parent"]=="Accounts":
@@ -37,9 +37,9 @@ def get_children():
 		acc = frappe.db.sql("""select
 			name as value, if(group_or_ledger='Group', 1, 0) as expandable
 	 		from `tab%s`
-			where ifnull(parent_%s,'') = %s
+			where ifnull(`parent_%s`,'') = %s
 			and docstatus<2
-			order by name""" % (ctype, ctype.lower().replace(' ','_'), '%s'),
+			order by name""" % (frappe.db.escape(ctype), frappe.db.escape(ctype.lower().replace(' ','_')), '%s'),
 				args['parent'], as_dict=1)
 
 	if ctype == 'Account':

erpnext/accounts/utils.py

@@ -50,7 +50,7 @@ def get_balance_on(account=None, date=None):
 
 	cond = []
 	if date:
-		cond.append("posting_date <= '%s'" % date)
+		cond.append("posting_date <= '%s'" % frappe.db.escape(date))
 	else:
 		# get balance of all entries that exist
 		date = nowdate()
@@ -79,7 +79,7 @@ def get_balance_on(account=None, date=None):
 			and ac.lft >= %s and ac.rgt <= %s
 		)""" % (acc.lft, acc.rgt))
 	else:
-		cond.append("""gle.account = "%s" """ % (account.replace('"', '\\"'), ))
+		cond.append("""gle.account = "%s" """ % (frappe.db.escape(account), ))
 
 	bal = frappe.db.sql("""
 		SELECT sum(ifnull(debit, 0)) - sum(ifnull(credit, 0))