From 3b2fd6e334c9b15241cab8c1ee412647206d836c Mon Sep 17 00:00:00 2001
From: Anand Doshi <anand@erpnext.com>
Date: Sat, 13 Apr 2013 15:54:38 +0530
Subject: [PATCH] [sql] [fix] fixed item.py injections

---
 selling/doctype/sales_common/sales_common.py | 3 +--
 stock/doctype/item/item.py                   | 7 ++++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/selling/doctype/sales_common/sales_common.py b/selling/doctype/sales_common/sales_common.py
index b9f9af64d16..7b1528bafe2 100644
--- a/selling/doctype/sales_common/sales_common.py
+++ b/selling/doctype/sales_common/sales_common.py
@@ -125,8 +125,7 @@ class DocType(TransactionBase):
 	def get_item_details(self, args, obj):
 		import json
 		if not obj.doc.price_list_name:
-			msgprint("Please Select Price List before selecting Items")
-			raise Exception
+			msgprint("Please Select Price List before selecting Items", raise_exception=True)
 		item = webnotes.conn.sql("""select description, item_name, brand, item_group, stock_uom, 
 			default_warehouse, default_income_account, default_sales_cost_center, 
 			purchase_account, description_html, barcode from `tabItem` 
diff --git a/stock/doctype/item/item.py b/stock/doctype/item/item.py
index c0f0a07e525..3486f920273 100644
--- a/stock/doctype/item/item.py
+++ b/stock/doctype/item/item.py
@@ -39,7 +39,8 @@ class DocType(DocListController):
 		# webpage updates
 		self.update_website()
 			
-		bin = sql("select stock_uom from `tabBin` where item_code = '%s' " % self.doc.item_code)
+		bin = sql("select stock_uom from `tabBin` where item_code = %s", 
+			self.doc.item_code)
 		if bin and cstr(bin[0][0]) and cstr(bin[0][0]) != cstr(self.doc.stock_uom):
 			msgprint("Please Update Stock UOM with the help of Stock UOM Replace Utility.")
 			raise Exception
@@ -149,7 +150,7 @@ class DocType(DocListController):
 
 	def check_for_active_boms(self, field_label):
 		if field_label in ['Is Active', 'Is Purchase Item']:
-			bom_mat = sql("select distinct t1.parent from `tabBOM Item` t1, `tabBOM` t2 where t1.item_code ='%s' and (t1.bom_no = '' or t1.bom_no is NULL) and t2.name = t1.parent and t2.is_active = 1 and t2.docstatus = 1 and t1.docstatus =1 " % self.doc.name )
+			bom_mat = sql("select distinct t1.parent from `tabBOM Item` t1, `tabBOM` t2 where t1.item_code =%s and (t1.bom_no = '' or t1.bom_no is NULL) and t2.name = t1.parent and t2.is_active = 1 and t2.docstatus = 1 and t1.docstatus =1 ", self.doc.name)
 			if bom_mat and bom_mat[0][0]:
 				msgprint("%s should be 'Yes'. As Item %s is present in one or many Active BOMs." % (cstr(field_label), cstr(self.doc.name)))
 				raise Exception
@@ -157,7 +158,7 @@ class DocType(DocListController):
 				and self.doc.is_sub_contracted_item != 'Yes') 
 				or (field_label == 'Is Sub Contracted Item' 
 				and self.doc.is_manufactured_item != 'Yes')):
-			bom = sql("select name from `tabBOM` where item = '%s' and is_active = 1" % cstr(self.doc.name))
+			bom = sql("select name from `tabBOM` where item = %s and is_active = 1", self.doc.name)
 			if bom and bom[0][0]:
 				msgprint("%s should be 'Yes'. As Item %s is present in one or many Active BOMs." % (cstr(field_label), cstr(self.doc.name)))
 				raise Exception