Gitiles
Code Review Sign In
git.clicks.codes / Clicks / Forks / ERPNext / 3b2fd6e334c9b15241cab8c1ee412647206d836c^! / .
commit3b2fd6e334c9b15241cab8c1ee412647206d836c[log] [tgz]
authorAnand Doshi <anand@erpnext.com>Sat Apr 13 15:54:38 2013 +0530
committerAnand Doshi <anand@erpnext.com>Sat Apr 13 15:54:38 2013 +0530
tree76f4b00db5320253d4ce6ad8824c8f32630cce03
parent0c8597583985b17b00094fabf61d430567929746 [diff]
[sql] [fix] fixed item.py injections

diff --git a/selling/doctype/sales_common/sales_common.py b/selling/doctype/sales_common/sales_common.py
index b9f9af6..7b1528b 100644
--- a/selling/doctype/sales_common/sales_common.py
+++ b/selling/doctype/sales_common/sales_common.py

@@ -125,8 +125,7 @@
 	def get_item_details(self, args, obj):
 		import json
 		if not obj.doc.price_list_name:
-			msgprint("Please Select Price List before selecting Items")
-			raise Exception
+			msgprint("Please Select Price List before selecting Items", raise_exception=True)
 		item = webnotes.conn.sql("""select description, item_name, brand, item_group, stock_uom, 
 			default_warehouse, default_income_account, default_sales_cost_center, 
 			purchase_account, description_html, barcode from `tabItem` 

diff --git a/stock/doctype/item/item.py b/stock/doctype/item/item.py
index c0f0a07..3486f92 100644
--- a/stock/doctype/item/item.py
+++ b/stock/doctype/item/item.py

@@ -39,7 +39,8 @@
 		# webpage updates
 		self.update_website()
 			
-		bin = sql("select stock_uom from `tabBin` where item_code = '%s' " % self.doc.item_code)
+		bin = sql("select stock_uom from `tabBin` where item_code = %s", 
+			self.doc.item_code)
 		if bin and cstr(bin[0][0]) and cstr(bin[0][0]) != cstr(self.doc.stock_uom):
 			msgprint("Please Update Stock UOM with the help of Stock UOM Replace Utility.")
 			raise Exception
@@ -149,7 +150,7 @@
 
 	def check_for_active_boms(self, field_label):
 		if field_label in ['Is Active', 'Is Purchase Item']:
-			bom_mat = sql("select distinct t1.parent from `tabBOM Item` t1, `tabBOM` t2 where t1.item_code ='%s' and (t1.bom_no = '' or t1.bom_no is NULL) and t2.name = t1.parent and t2.is_active = 1 and t2.docstatus = 1 and t1.docstatus =1 " % self.doc.name )
+			bom_mat = sql("select distinct t1.parent from `tabBOM Item` t1, `tabBOM` t2 where t1.item_code =%s and (t1.bom_no = '' or t1.bom_no is NULL) and t2.name = t1.parent and t2.is_active = 1 and t2.docstatus = 1 and t1.docstatus =1 ", self.doc.name)
 			if bom_mat and bom_mat[0][0]:
 				msgprint("%s should be 'Yes'. As Item %s is present in one or many Active BOMs." % (cstr(field_label), cstr(self.doc.name)))
 				raise Exception
@@ -157,7 +158,7 @@
 				and self.doc.is_sub_contracted_item != 'Yes') 
 				or (field_label == 'Is Sub Contracted Item' 
 				and self.doc.is_manufactured_item != 'Yes')):
-			bom = sql("select name from `tabBOM` where item = '%s' and is_active = 1" % cstr(self.doc.name))
+			bom = sql("select name from `tabBOM` where item = %s and is_active = 1", self.doc.name)
 			if bom and bom[0][0]:
 				msgprint("%s should be 'Yes'. As Item %s is present in one or many Active BOMs." % (cstr(field_label), cstr(self.doc.name)))
 				raise Exception