From dcd54209fcfc4d8e8226edaecad9a10985a3d650 Mon Sep 17 00:00:00 2001
From: tunde <tundebabzy@gmail.com>
Date: Thu, 22 Jun 2017 11:02:19 +0100
Subject: [PATCH] parameterises sql string

---
 erpnext/templates/pages/rfq.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/erpnext/templates/pages/rfq.py b/erpnext/templates/pages/rfq.py
index abc28904c3..aaf4110496 100644
--- a/erpnext/templates/pages/rfq.py
+++ b/erpnext/templates/pages/rfq.py
@@ -29,7 +29,7 @@ def get_supplier():
 def check_supplier_has_docname_access(supplier):
 	status = True
 	if frappe.form_dict.name not in frappe.db.sql_list("""select parent from `tabRequest for Quotation Supplier`
-		where supplier = '{supplier}'""".format(supplier=supplier)):
+		where supplier = %s""", (supplier,)):
 		status = False
 	return status