Merge pull request #54244 from khushi8112/journal-entry-get-against-jv-sql-injection

fix: replace raw SQL with qb in get_against_jv to prevent SQL injection
2026-06-02 03:39:11 +00:00 · 2026-04-13 15:12:49 +05:30
parent a9bb3e2315 c133f7156d
commit c805324a99
1 changed files with 31 additions and 24 deletions
--- a/erpnext/accounts/doctype/journal_entry/journal_entry.py
+++ b/erpnext/accounts/doctype/journal_entry/journal_entry.py
@@ -1553,35 +1553,42 @@ def get_payment_entry(ref_doc, args):
@frappe.whitelist()
@frappe.validate_and_sanitize_search_inputs
-def get_against_jv(doctype: str, txt: str, searchfield: str, start: int, page_len: int, filters: dict):
+def get_against_jv(
 	doctype: str,
 	txt: str,
 	searchfield: str,
 	start: int,
 	page_len: int,
 	filters: dict,
 ):
 	if not frappe.db.has_column("Journal Entry", searchfield):
 		return []
-	return frappe.db.sql(
+	JournalEntry = frappe.qb.DocType("Journal Entry")
-		f"""
+	JournalEntryAccount = frappe.qb.DocType("Journal Entry Account")
-		SELECT jv.name, jv.posting_date, jv.user_remark
+
-		FROM `tabJournal Entry` jv, `tabJournal Entry Account` jv_detail
+	query = (
-		WHERE jv_detail.parent = jv.name
+		frappe.qb.from_(JournalEntry)
-			AND jv_detail.account = %(account)s
+		.join(JournalEntryAccount)
-			AND IFNULL(jv_detail.party, '') = %(party)s
+		.on(JournalEntryAccount.parent == JournalEntry.name)
-			AND (
+		.select(JournalEntry.name, JournalEntry.posting_date, JournalEntry.user_remark)
-				jv_detail.reference_type IS NULL
+		.where(JournalEntryAccount.account == filters.get("account"))
-				OR jv_detail.reference_type = ''
+		.where(JournalEntryAccount.reference_type.isnull() | (JournalEntryAccount.reference_type == ""))
-			)
+		.where(JournalEntry.docstatus == 1)
-			AND jv.docstatus = 1
+		.where(JournalEntry[searchfield].like(f"%{txt}%"))
-			AND jv.`{searchfield}` LIKE %(txt)s
+		.orderby(JournalEntry.name, order=frappe.qb.desc)
-		ORDER BY jv.name DESC
+		.limit(page_len)
-		LIMIT %(limit)s offset %(offset)s
+		.offset(start)
 		""",
 		dict(
 			account=filters.get("account"),
 			party=cstr(filters.get("party")),
 			txt=f"%{txt}%",
 			offset=start,
 			limit=page_len,
 		),
 	)
 	party = filters.get("party")
 	if party:
 		query = query.where(JournalEntryAccount.party == party)
 	else:
 		query = query.where(JournalEntryAccount.party.isnull() | (JournalEntryAccount.party == ""))
 	return query.run()
@frappe.whitelist()
 def get_outstanding(args: str | dict):