From 6ea3de9521fa42d442fafd6e42e6314ef8c175b8 Mon Sep 17 00:00:00 2001 From: Suraj Shetty Date: Wed, 26 Sep 2018 18:15:53 +0530 Subject: [PATCH] Fix quote issues (#15497) * Fix quotes issues * Remove frappe.db.escape - Handle escape in the update_linked_doctypes method --- .../budget_variance_report.py | 14 +++++++------- erpnext/controllers/queries.py | 4 ++-- erpnext/projects/doctype/task/task.py | 2 +- erpnext/selling/doctype/customer/customer.py | 2 +- 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/erpnext/accounts/report/budget_variance_report/budget_variance_report.py b/erpnext/accounts/report/budget_variance_report/budget_variance_report.py index 75739d9007..08402811c5 100644 --- a/erpnext/accounts/report/budget_variance_report/budget_variance_report.py +++ b/erpnext/accounts/report/budget_variance_report/budget_variance_report.py @@ -65,20 +65,20 @@ def get_columns(filters): return columns + [_("Total Target") + ":Float:120", _("Total Actual") + ":Float:120", _("Total Variance") + ":Float:120"] - + def get_cost_centers(filters): cond = "and 1=1" if filters.get("budget_against") == "Cost Center": cond = "order by lft" - return frappe.db.sql_list("""select name from `tab{tab}` where company=%s + return frappe.db.sql_list("""select name from `tab{tab}` where company=%s {cond}""".format(tab=filters.get("budget_against"), cond=cond), filters.get("company")) #Get cost center & target details def get_cost_center_target_details(filters): cond = "" if filters.get("cost_center"): - cond += " and b.cost_center='%s'" % frappe.db.escape(filters.get("cost_center")) + cond += " and b.cost_center=%s" % frappe.db.escape(filters.get("cost_center")) return frappe.db.sql(""" select b.{budget_against} as budget_against, b.monthly_distribution, ba.account, ba.budget_amount @@ -106,7 +106,7 @@ def get_actual_details(name, filters): if filters.get("budget_against") == "Cost Center": cc_lft, cc_rgt = frappe.db.get_value("Cost Center", name, ["lft", "rgt"]) cond = "lft>='{lft}' and rgt<='{rgt}'".format(lft = cc_lft, rgt=cc_rgt) - + ac_details = frappe.db.sql("""select gl.account, gl.debit, gl.credit, MONTHNAME(gl.posting_date) as month_name, b.{budget_against} as budget_against from `tabGL Entry` gl, `tabBudget Account` ba, `tabBudget` b @@ -115,7 +115,7 @@ def get_actual_details(name, filters): and b.docstatus = 1 and ba.account=gl.account and b.{budget_against} = gl.{budget_against} - and gl.fiscal_year=%s + and gl.fiscal_year=%s and b.{budget_against}=%s and exists(select name from `tab{tab}` where name=gl.{budget_against} and {cond}) group by gl.name """.format(tab = filters.budget_against, budget_against = budget_against, cond = cond), @@ -136,7 +136,7 @@ def get_cost_center_account_month_map(filters): for ccd in cost_center_target_details: actual_details = get_actual_details(ccd.budget_against, filters) - + for month_id in range(1, 13): month = datetime.date(2013, month_id, 1).strftime('%B') @@ -150,7 +150,7 @@ def get_cost_center_account_month_map(filters): if ccd.monthly_distribution else 100.0/12 tav_dict.target = flt(ccd.budget_amount) * month_percentage / 100 - + for ad in actual_details.get(ccd.account, []): if ad.month_name == month: tav_dict.actual += flt(ad.debit) - flt(ad.credit) diff --git a/erpnext/controllers/queries.py b/erpnext/controllers/queries.py index 4c4bf788a0..8a1f79951a 100644 --- a/erpnext/controllers/queries.py +++ b/erpnext/controllers/queries.py @@ -219,7 +219,7 @@ def bom(doctype, txt, searchfield, start, page_len, filters): def get_project_name(doctype, txt, searchfield, start, page_len, filters): cond = '' if filters.get('customer'): - cond = """(`tabProject`.customer = '%s' or + cond = """(`tabProject`.customer = %s or ifnull(`tabProject`.customer,"")="") and""" %(frappe.db.escape(filters.get("customer"))) return frappe.db.sql("""select `tabProject`.name from `tabProject` @@ -398,7 +398,7 @@ def warehouse_query(doctype, txt, searchfield, start, page_len, filters): CONCAT_WS(" : ", "Actual Qty", ifnull( ({sub_query}), 0) ) as actual_qty from `tabWarehouse` where - `tabWarehouse`.`{key}` like '{txt}' + `tabWarehouse`.`{key}` like {txt} {fcond} {mcond} order by `tabWarehouse`.name desc diff --git a/erpnext/projects/doctype/task/task.py b/erpnext/projects/doctype/task/task.py index ebe38afa30..b341325f54 100755 --- a/erpnext/projects/doctype/task/task.py +++ b/erpnext/projects/doctype/task/task.py @@ -163,7 +163,7 @@ def check_if_child_exists(name): def get_project(doctype, txt, searchfield, start, page_len, filters): from erpnext.controllers.queries import get_match_cond return frappe.db.sql(""" select name from `tabProject` - where %(key)s like "%(txt)s" + where %(key)s like %(txt)s %(mcond)s order by name limit %(start)s, %(page_len)s """ % {'key': searchfield, diff --git a/erpnext/selling/doctype/customer/customer.py b/erpnext/selling/doctype/customer/customer.py index d285704eb4..16dac285e6 100644 --- a/erpnext/selling/doctype/customer/customer.py +++ b/erpnext/selling/doctype/customer/customer.py @@ -91,7 +91,7 @@ class Customer(TransactionBase): def update_customer_groups(self): ignore_doctypes = ["Lead", "Opportunity", "POS Profile", "Tax Rule", "Pricing Rule"] if frappe.flags.customer_group_changed: - update_linked_doctypes('Customer', frappe.db.escape(self.name), 'Customer Group', + update_linked_doctypes('Customer', self.name, 'Customer Group', self.customer_group, ignore_doctypes) def create_primary_contact(self):