fix: escaped warehouse value for sql query (bp #26049)

Co-authored-by: Noah Jacob <noahjacobkurian@gmail.com>
2021-06-18 14:47:30 +05:30 · 2021-06-18 14:47:30 +05:30 · 584fe32900
commit 584fe32900
parent e43df63978
1 changed files with 2 additions and 5 deletions
--- a/erpnext/controllers/stock_controller.py
+++ b/erpnext/controllers/stock_controller.py
@ -558,11 +558,8 @@ def future_sle_exists(args):
 	or_conditions = []
 	for warehouse, items in warehouse_items_map.items():
 		or_conditions.append(
-			"warehouse = '{}' and item_code in ({})".format(
-				warehouse,
-				", ".join(frappe.db.escape(item) for item in items)
-			)
-		)
+			f"""warehouse = {frappe.db.escape(warehouse)}
+				and item_code in ({', '.join(frappe.db.escape(item) for item in items)})""")

 	return frappe.db.sql("""
 		select name