From 4b404c4f1e8e3bb82dab1d7b7159385f326d4ccc Mon Sep 17 00:00:00 2001 From: Suraj Shetty Date: Thu, 27 Sep 2018 15:39:34 +0530 Subject: [PATCH] Avoid multiple escapes (#15509) --- erpnext/controllers/queries.py | 9 ++++----- erpnext/projects/doctype/task/task.py | 11 +++++++---- erpnext/projects/doctype/timesheet/timesheet.py | 2 +- erpnext/selling/page/point_of_sale/point_of_sale.py | 12 ++++++++---- erpnext/setup/doctype/party_type/party_type.py | 2 +- .../doctype/item_alternative/item_alternative.py | 4 ++-- 6 files changed, 23 insertions(+), 17 deletions(-) diff --git a/erpnext/controllers/queries.py b/erpnext/controllers/queries.py index 8a1f79951a..85a6310bb6 100644 --- a/erpnext/controllers/queries.py +++ b/erpnext/controllers/queries.py @@ -208,9 +208,8 @@ def bom(doctype, txt, searchfield, start, page_len, filters): limit %(start)s, %(page_len)s """.format( fcond=get_filters_cond(doctype, filters, conditions), mcond=get_match_cond(doctype), - key=searchfield), - { - 'txt': frappe.db.escape('%' + txt + '%'), + key=searchfield), { + 'txt': '%' + txt + '%', '_txt': txt.replace("%", ""), 'start': start or 0, 'page_len': page_len or 20 @@ -353,7 +352,7 @@ def get_income_account(doctype, txt, searchfield, start, page_len, filters): {condition} {match_condition} order by idx desc, name""" .format(condition=condition, match_condition=get_match_cond(doctype), key=searchfield), { - 'txt': frappe.db.escape('%' + txt + '%'), + 'txt': '%' + txt + '%', 'company': filters.get("company", "") }) @@ -378,7 +377,7 @@ def get_expense_account(doctype, txt, searchfield, start, page_len, filters): .format(condition=condition, key=searchfield, match_condition=get_match_cond(doctype)), { 'company': filters.get("company", ""), - 'txt': frappe.db.escape('%' + txt + '%') + 'txt': '%' + txt + '%' }) diff --git a/erpnext/projects/doctype/task/task.py b/erpnext/projects/doctype/task/task.py index b341325f54..9426a917a0 100755 --- a/erpnext/projects/doctype/task/task.py +++ b/erpnext/projects/doctype/task/task.py @@ -166,10 +166,13 @@ def get_project(doctype, txt, searchfield, start, page_len, filters): where %(key)s like %(txt)s %(mcond)s order by name - limit %(start)s, %(page_len)s """ % {'key': searchfield, - 'txt': frappe.db.escape('%' + txt + '%'), - 'mcond':get_match_cond(doctype), - 'start': start, 'page_len': page_len}) + limit %(start)s, %(page_len)s""" % { + 'key': searchfield, + 'txt': frappe.db.escape('%' + txt + '%'), + 'mcond':get_match_cond(doctype), + 'start': start, + 'page_len': page_len + }) @frappe.whitelist() diff --git a/erpnext/projects/doctype/timesheet/timesheet.py b/erpnext/projects/doctype/timesheet/timesheet.py index c6f405d75b..c51e3d993f 100644 --- a/erpnext/projects/doctype/timesheet/timesheet.py +++ b/erpnext/projects/doctype/timesheet/timesheet.py @@ -223,7 +223,7 @@ def get_timesheet(doctype, txt, searchfield, start, page_len, filters): and tsd.parent LIKE %(txt)s {condition} order by tsd.parent limit %(start)s, %(page_len)s""" .format(condition=condition), { - 'txt': frappe.db.escape('%' + txt + '%'), + 'txt': '%' + txt + '%', "start": start, "page_len": page_len, 'project': filters.get("project") }) diff --git a/erpnext/selling/page/point_of_sale/point_of_sale.py b/erpnext/selling/page/point_of_sale/point_of_sale.py index 00e4de1292..e7ea4cdc56 100644 --- a/erpnext/selling/page/point_of_sale/point_of_sale.py +++ b/erpnext/selling/page/point_of_sale/point_of_sale.py @@ -60,11 +60,15 @@ def get_items(start, page_length, price_list, item_group, search_value="", pos_p where i.disabled = 0 and i.has_variants = 0 and i.is_sales_item = 1 and i.item_group in (select name from `tabItem Group` where lft >= {lft} and rgt <= {rgt}) - and {condition} limit {start}, {page_length}""".format(start=start,page_length=page_length,lft=lft, rgt=rgt, condition=condition), - { - 'item_code': item_code, + and {condition} limit {start}, {page_length}""".format( + start=start, + page_length=page_length, + lft=lft, + rgt=rgt, + condition=condition + ), { 'price_list': price_list - } , as_dict=1) + }, as_dict=1) res = { 'items': res diff --git a/erpnext/setup/doctype/party_type/party_type.py b/erpnext/setup/doctype/party_type/party_type.py index fd044bca03..b29c305ee7 100644 --- a/erpnext/setup/doctype/party_type/party_type.py +++ b/erpnext/setup/doctype/party_type/party_type.py @@ -20,6 +20,6 @@ def get_party_type(doctype, txt, searchfield, start, page_len, filters): where `{key}` LIKE %(txt)s {cond} order by name limit %(start)s, %(page_len)s""" .format(key=searchfield, cond=cond), { - 'txt': frappe.db.escape('%' + txt + '%'), + 'txt': '%' + txt + '%', 'start': start, 'page_len': page_len }) diff --git a/erpnext/stock/doctype/item_alternative/item_alternative.py b/erpnext/stock/doctype/item_alternative/item_alternative.py index 93ec5fd57c..8e54539b18 100644 --- a/erpnext/stock/doctype/item_alternative/item_alternative.py +++ b/erpnext/stock/doctype/item_alternative/item_alternative.py @@ -35,6 +35,6 @@ def get_alternative_items(doctype, txt, searchfield, start, page_len, filters): where alternative_item_code = %(item_code)s and item_code like %(txt)s and two_way = 1) limit {0}, {1} """.format(start, page_len), { - "item_code": frappe.db.escape(filters.get('item_code')), - "txt": frappe.db.escape('%' + txt + '%') + "item_code": filters.get('item_code'), + "txt": '%' + txt + '%' }) \ No newline at end of file