Shiloh/brotherton-erpnext
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #25167 from ankush/escape_sql_credit_report

Browse Source 
fix: escape sql filters in credit report
This commit is contained in:
Deepesh Garg 2021-04-13 15:24:15 +05:30 committed by GitHub
commit 0dcb48a6ee
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 12 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
erpnext/selling/report/customer_credit_balance/customer_credit_balance.py
View File

@ -57,18 +57,18 @@ def get_columns(customer_naming_type):
return columns
def get_details(filters):
conditions = ""
sql_query = """SELECT
c.name, c.customer_name,
ccl.bypass_credit_limit_check,
c.is_frozen, c.disabled
FROM `tabCustomer` c, `tabCustomer Credit Limit` ccl
WHERE
c.name = ccl.parent
AND ccl.company = %(company)s"""
# customer filter is optional.
if filters.get("customer"):
conditions += " AND c.name = '" + filters.get("customer") + "'"
sql_query += " AND c.name = %(customer)s"
return frappe.db.sql("""SELECT
c.name, c.customer_name,
ccl.bypass_credit_limit_check,
c.is_frozen, c.disabled
FROM `tabCustomer` c, `tabCustomer Credit Limit` ccl
WHERE
c.name = ccl.parent
AND ccl.company = '{0}'
{1}
""".format( filters.get("company"),conditions), as_dict=1) #nosec
return frappe.db.sql(sql_query, filters, as_dict=1)