Fix sql injection

2020-01-27 09:02:02 -03:00 · 2020-01-27 09:02:02 -03:00 · be1895fd08
commit be1895fd08
parent e009187e02
1 changed files with 1 additions and 1 deletions
--- a/erpnext/setup/doctype/item_group/item_group.py
+++ b/erpnext/setup/doctype/item_group/item_group.py
@ -119,7 +119,7 @@ def get_product_list_for_group(product_group=None, start=0, limit=10, search=Non
 				or I.name like %(search)s)"""
 		search = "%" + cstr(search) + "%"

-	query += """order by I.weightage desc, in_stock desc, I.modified desc limit %s, %s""" % (start, limit)
+	query += """order by I.weightage desc, in_stock desc, I.modified desc limit %s, %s""" % (cint(start), cint(limit))

 	data = frappe.db.sql(query, {"product_group": product_group,"search": search, "today": nowdate()}, as_dict=1)
 	data = adjust_qty_for_expired_items(data)