From 561fa6b53019b064764019aacf36b2ddd3e86c0e Mon Sep 17 00:00:00 2001 From: marination Date: Thu, 1 Apr 2021 12:53:22 +0530 Subject: [PATCH] fix: Don't string format args as they may not be escaped properly - Append even conditional args to args list and send to query executer - It will escape all values that are sent to it - String formatting without escaping causes issues with % sign, etc. --- .../doctype/quality_inspection/quality_inspection.py | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/erpnext/stock/doctype/quality_inspection/quality_inspection.py b/erpnext/stock/doctype/quality_inspection/quality_inspection.py index 05819ab854..469511af60 100644 --- a/erpnext/stock/doctype/quality_inspection/quality_inspection.py +++ b/erpnext/stock/doctype/quality_inspection/quality_inspection.py @@ -64,17 +64,21 @@ class QualityInspection(Document): (quality_inspection, self.modified, self.reference_name, self.item_code)) else: + args = [quality_inspection, self.modified, self.reference_name, self.item_code] doctype = self.reference_type + ' Item' + if self.reference_type == 'Stock Entry': doctype = 'Stock Entry Detail' if self.reference_type and self.reference_name: conditions = "" if self.batch_no and self.docstatus == 1: - conditions += " and t1.batch_no = '%s'"%(self.batch_no) + conditions += " and t1.batch_no = %s" + args.append(self.batch_no) if self.docstatus == 2: # if cancel, then remove qi link wherever same name - conditions += " and t1.quality_inspection = '%s'"%(self.name) + conditions += " and t1.quality_inspection = %s" + args.append(self.name) frappe.db.sql(""" UPDATE @@ -87,7 +91,7 @@ class QualityInspection(Document): and t1.parent = t2.name {conditions} """.format(parent_doc=self.reference_type, child_doc=doctype, conditions=conditions), - (quality_inspection, self.modified, self.reference_name, self.item_code)) + args) def inspect_and_set_status(self): for reading in self.readings: