nsinnovations/erpnext
2
0
Fork 0
mirror of https://github.com/frappe/erpnext.git synced 2026-06-08 07:32:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

sql injection fixes

Browse Source
This commit is contained in:
Nabin Hait
2014-03-03 15:51:13 +05:30
parent eb7fea673b
commit 4d713ac5ba
37 changed files with 221 additions and 364 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
erpnext/home/page/activity/activity.py
View File

@@ -7,15 +7,16 @@ import frappe
@frappe.whitelist()
def get_feed(arg=None):
"""get feed"""
roles = frappe.get_roles()
return frappe.db.sql("""select
distinct t1.name, t1.feed_type, t1.doc_type, t1.doc_name, t1.subject, t1.owner,
t1.modified
from tabFeed t1, tabDocPerm t2
where t1.doc_type = t2.parent
and t2.role in ('%s')
and t2.role in (%s)
and t2.permlevel = 0
and ifnull(t2.`read`,0) = 1
order by t1.modified desc
limit %s, %s""" % ("','".join(frappe.get_roles()),
frappe.form_dict['limit_start'], frappe.form_dict['limit_page_length']),
as_dict=1)
limit %s, %s""" % (','.join(['%s']*len(roles)), '%s', '%s'),
tuple(roles + [frappe.form_dict['limit_start'], frappe.form_dict['limit_page_length']]),
as_dict=1)