fix(sqli): Avoid SQL Injection with sender param (#16509)

2019-01-29 10:52:37 +05:30 · 2019-01-29 10:52:37 +05:30 · 9acb885e60
commit 9acb885e60
parent 385e3bb284
1 changed files with 1 additions and 1 deletions
--- a/erpnext/templates/utils.py
+++ b/erpnext/templates/utils.py
@ -16,7 +16,7 @@ def send_message(subject="Website Query", message="", sender="", status="Open"):

 	customer = frappe.db.sql("""select distinct dl.link_name from `tabDynamic Link` dl
 		left join `tabContact` c on dl.parent=c.name where dl.link_doctype='Customer'
-		and c.email_id='{email_id}'""".format(email_id=sender))
+		and c.email_id = %s""", sender)

 	if not customer:
 		lead = frappe.db.get_value('Lead', dict(email_id=sender))