nsinnovations/erpnext
2
0
Fork 0
mirror of https://github.com/frappe/erpnext.git synced 2026-05-16 03:29:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

[fix] don't allow string values in limits to avoid sql injection (#8779)

Browse Source
This commit is contained in:
Saurabh
2017-05-11 18:03:12 +05:30
committed by Rushabh Mehta
parent fcefc601e0
commit 62c7deee00
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
erpnext/templates/pages/product_search.py
View File

@@ -3,7 +3,7 @@
from __future__ import unicode_literals from __future__ import unicode_literals
import frappe import frappe
from frappe.utils import cstr, nowdate from frappe.utils import cstr, nowdate, cint
from erpnext.setup.doctype.item_group.item_group import get_item_for_list_in_html from erpnext.setup.doctype.item_group.item_group import get_item_for_list_in_html
no_cache = 1 no_cache = 1
@@ -33,7 +33,7 @@ def get_product_list(search=None, start=0, limit=12):
search = "%" + cstr(search) + "%" search = "%" + cstr(search) + "%"
# order by # order by
query += """ order by weightage desc, idx desc, modified desc limit %s, %s""" % (start, limit) query += """ order by weightage desc, idx desc, modified desc limit %s, %s""" % (cint(start), cint(limit))
data = frappe.db.sql(query, { data = frappe.db.sql(query, {
"search": search, "search": search,