From 62c7deee00a8a61942c1434164a4597ce52e7594 Mon Sep 17 00:00:00 2001
From: Saurabh <saurabh6790@gmail.com>
Date: Thu, 11 May 2017 18:03:12 +0530
Subject: [PATCH] [fix] don't allow string values in limits to avoid sql
 injection (#8779)

---
 erpnext/templates/pages/product_search.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/erpnext/templates/pages/product_search.py b/erpnext/templates/pages/product_search.py
index 8766db3dfa..49f321dd9a 100644
--- a/erpnext/templates/pages/product_search.py
+++ b/erpnext/templates/pages/product_search.py
@@ -3,7 +3,7 @@
 
 from __future__ import unicode_literals
 import frappe
-from frappe.utils import cstr, nowdate
+from frappe.utils import cstr, nowdate, cint
 from erpnext.setup.doctype.item_group.item_group import get_item_for_list_in_html
 
 no_cache = 1
@@ -33,7 +33,7 @@ def get_product_list(search=None, start=0, limit=12):
 		search = "%" + cstr(search) + "%"
 
 	# order by
-	query += """ order by weightage desc, idx desc, modified desc limit %s, %s""" % (start, limit)
+	query += """ order by weightage desc, idx desc, modified desc limit %s, %s""" % (cint(start), cint(limit))
 
 	data = frappe.db.sql(query, {
 		"search": search,