Shiloh/brotherton-erpnext
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[fix] don't allow string values in limits to avoid sql injection (#8779)

Browse Source
This commit is contained in:
Saurabh 2017-05-11 18:03:12 +05:30 committed by Rushabh Mehta
parent fcefc601e0
commit 62c7deee00
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
erpnext/templates/pages/product_search.py
View File

@ -3,7 +3,7 @@
from __future__ import unicode_literals
import frappe
from frappe.utils import cstr, nowdate
from frappe.utils import cstr, nowdate, cint
from erpnext.setup.doctype.item_group.item_group import get_item_for_list_in_html
no_cache = 1
@ -33,7 +33,7 @@ def get_product_list(search=None, start=0, limit=12):
search = "%" + cstr(search) + "%"
# order by
query += """ order by weightage desc, idx desc, modified desc limit %s, %s""" % (start, limit)
query += """ order by weightage desc, idx desc, modified desc limit %s, %s""" % (cint(start), cint(limit))
data = frappe.db.sql(query, {
"search": search,