nsinnovations/erpnext
2
0
Fork 0
mirror of https://github.com/frappe/erpnext.git synced 2026-05-16 11:39:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

Duplicate query to avoid SQL injection

Browse Source
This commit is contained in:
Charles-Henri Decultot
2018-12-13 10:53:08 +00:00
parent f6d18e81e9
commit 58438f4e5b
3 changed files with 42 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
erpnext/accounts/doctype/account_subtype/account_subtype.js
View File

@@ -2,7 +2,7 @@
// For license information, please see license.txt // For license information, please see license.txt
frappe.ui.form.on('Account Subtype', { frappe.ui.form.on('Account Subtype', {
refresh: function(frm) { refresh: function() {
} }
}); });

2
erpnext/accounts/doctype/account_type/account_type.js
View File

@@ -2,7 +2,7 @@
// For license information, please see license.txt // For license information, please see license.txt
frappe.ui.form.on('Account Type', { frappe.ui.form.on('Account Type', {
refresh: function(frm) { refresh: function() {
} }
}); });

59
erpnext/accounts/page/bank_reconciliation/bank_reconciliation.py
View File

@@ -115,25 +115,46 @@ def check_matching_amount(bank_account, company, transaction):
"party", "party_type", "posting_date", "{0}".format(currency_field)], filters=[["paid_amount", "like", "{0}%".format(amount)], "party", "party_type", "posting_date", "{0}".format(currency_field)], filters=[["paid_amount", "like", "{0}%".format(amount)],
["docstatus", "=", "1"], ["payment_type", "=", payment_type], ["ifnull(clearance_date, '')", "=", ""], ["{0}".format(account_from_to), "=", "{0}".format(bank_account)]]) ["docstatus", "=", "1"], ["payment_type", "=", payment_type], ["ifnull(clearance_date, '')", "=", ""], ["{0}".format(account_from_to), "=", "{0}".format(bank_account)]])
paid_amount_condition = "jea.debit_in_account_currency as paid_amount" if transaction.credit > 0 else "jea.credit_in_account_currency as paid_amount" if transaction.credit > 0:
amount_condition = "AND jea.debit_in_account_currency like %s" if transaction.credit > 0 else "AND jea.credit_in_account_currency like %s" journal_entries = frappe.db.sql("""
journal_entries = frappe.db.sql(""" SELECT
SELECT 'Journal Entry' as doctype, je.name, je.posting_date, je.cheque_no as reference_no,
'Journal Entry' as doctype, je.name, je.posting_date, je.cheque_no as reference_no, je.pay_to_recd_from as party, je.cheque_date as reference_date, jea.debit_in_account_currency as paid_amount
je.pay_to_recd_from as party, je.cheque_date as reference_date, %s FROM
FROM `tabJournal Entry Account` as jea
`tabJournal Entry Account` as jea JOIN
JOIN `tabJournal Entry` as je
`tabJournal Entry` as je ON
ON jea.parent = je.name
jea.parent = je.name WHERE
WHERE (je.clearance_date is null or je.clearance_date='0000-00-00')
(je.clearance_date is null or je.clearance_date='0000-00-00') AND
AND jea.account = %s
jea.account = '%s' %s AND
AND jea.debit_in_account_currency like %s
je.docstatus = 1 AND
""" % (paid_amount_condition, bank_account, amount_condition), amount, as_dict=True) je.docstatus = 1
""", (bank_account, amount), as_dict=True)
else:
journal_entries = frappe.db.sql("""
SELECT
'Journal Entry' as doctype, je.name, je.posting_date, je.cheque_no as reference_no,
je.pay_to_recd_from as party, je.cheque_date as reference_date, jea.credit_in_account_currency as paid_amount
FROM
`tabJournal Entry Account` as jea
JOIN
`tabJournal Entry` as je
ON
jea.parent = je.name
WHERE
(je.clearance_date is null or je.clearance_date='0000-00-00')
AND
jea.account = %s
AND
jea.credit_in_account_currency like %s
AND
je.docstatus = 1
""", (bank_account, amount), as_dict=True)
if transaction.credit > 0: if transaction.credit > 0:
sales_invoices = frappe.db.sql(""" sales_invoices = frappe.db.sql("""