refactor: Use parameterized SQL queries to prevent injection and handle None values

(cherry picked from commit a08c7f37d3)
2026-04-26 10:08:30 +00:00 · 2025-08-11 11:55:56 +03:00
parent 0cd9330e44
commit c462219dd7
1 changed files with 23 additions and 5 deletions
--- a/erpnext/setup/doctype/party_type/party_type.py
+++ b/erpnext/setup/doctype/party_type/party_type.py
@@ -26,13 +26,31 @@ class PartyType(Document):
@frappe.validate_and_sanitize_search_inputs
 def get_party_type(doctype, txt, searchfield, start, page_len, filters):
 	cond = ""
+	account_type = None
+
 	if filters and filters.get("account"):
 		account_type = frappe.db.get_value("Account", filters.get("account"), "account_type")
-		cond = "and account_type = '%s'" % account_type
+		if account_type:
+			cond = "and account_type = %(account_type)s"

-	return frappe.db.sql(
+	# Build parameters dictionary
+	params = {"txt": "%" + txt + "%", "start": start, "page_len": page_len}
+	if account_type:
+		params["account_type"] = account_type
+
+	result = frappe.db.sql(
 		f"""select name from `tabParty Type`
-			where `{searchfield}` LIKE %(txt)s {cond}
-			order by name limit %(page_len)s offset %(start)s""",
-		{"txt": "%" + txt + "%", "start": start, "page_len": page_len},
+        where `{searchfield}` LIKE %(txt)s {cond}
+        order by name limit %(page_len)s offset %(start)s""",
+		params,
 	)
+
+	# Convert to list and append Employee if not already present
+	result = list(result) if result else []
+
+	# Only append Employee for Receivable or Payable account types
+	if account_type in ["Receivable", "Payable"]:
+		if not any(row[0] == "Employee" for row in result):
+			result.append(("Employee",))  # Using tuple format like SQL returns
+
+	return result