nsinnovations/erpnext
2
0
Fork 0
mirror of https://github.com/frappe/erpnext.git synced 2026-04-29 03:28:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

[fix] injection

Browse Source
This commit is contained in:
Anand Doshi
2015-11-17 18:27:50 +05:30
parent 3667da1053
commit da79740cdf
11 changed files with 53 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
erpnext/setup/doctype/sms_settings/sms_settings.py
View File

@@ -42,7 +42,7 @@ def get_sender_name():
def get_contact_number(contact_name, value, key):
"returns mobile number of the contact"
number = frappe.db.sql("""select mobile_no, phone from tabContact where name=%s and %s=%s""" %
('%s', key, '%s'), (contact_name, value))
('%s', frappe.db.escape(key), '%s'), (contact_name, value))
return number and (number[0][0] or number[0][1]) or ''
@frappe.whitelist()
@@ -94,7 +94,7 @@ def send_request(gateway_url, args):
headers = {}
headers['Accept'] = "text/plain, text/html, */*"
conn.request('GET', api_url + urllib.urlencode(args), headers = headers) # send request
resp = conn.getresponse() # get response
resp = conn.getresponse() # get response
return resp.status
# Split gateway url to server and api url