From 9acb885e60f77cd4e9ea8c98bdc39c18abcac731 Mon Sep 17 00:00:00 2001 From: Aditya Hase Date: Tue, 29 Jan 2019 10:52:37 +0530 Subject: [PATCH] fix(sqli): Avoid SQL Injection with sender param (#16509) --- erpnext/templates/utils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/erpnext/templates/utils.py b/erpnext/templates/utils.py index eb84bcc8d8..8e14c067f1 100644 --- a/erpnext/templates/utils.py +++ b/erpnext/templates/utils.py @@ -16,7 +16,7 @@ def send_message(subject="Website Query", message="", sender="", status="Open"): customer = frappe.db.sql("""select distinct dl.link_name from `tabDynamic Link` dl left join `tabContact` c on dl.parent=c.name where dl.link_doctype='Customer' - and c.email_id='{email_id}'""".format(email_id=sender)) + and c.email_id = %s""", sender) if not customer: lead = frappe.db.get_value('Lead', dict(email_id=sender))