[fix] don't allow string values in limits to avoid sql injection (#8779)

commit: 62c7deee00a8a61942c1434164a4597ce52e7594 [log] [tgz]
author: Saurabh <saurabh6790@gmail.com> Thu May 11 18:03:12 2017 +0530
committer: Rushabh Mehta <rmehta@gmail.com> Thu May 11 18:03:12 2017 +0530
tree: 49b88774cc794f691bae495f8b8469bf27a98498
parent: fcefc601e09507facd430594307979db65f42650 [diff]
diff --git a/erpnext/templates/pages/product_search.py b/erpnext/templates/pages/product_search.py
index 8766db3..49f321d 100644
--- a/erpnext/templates/pages/product_search.py
+++ b/erpnext/templates/pages/product_search.py

@@ -3,7 +3,7 @@
 
 from __future__ import unicode_literals
 import frappe
-from frappe.utils import cstr, nowdate
+from frappe.utils import cstr, nowdate, cint
 from erpnext.setup.doctype.item_group.item_group import get_item_for_list_in_html
 
 no_cache = 1
@@ -33,7 +33,7 @@
 		search = "%" + cstr(search) + "%"
 
 	# order by
-	query += """ order by weightage desc, idx desc, modified desc limit %s, %s""" % (start, limit)
+	query += """ order by weightage desc, idx desc, modified desc limit %s, %s""" % (cint(start), cint(limit))
 
 	data = frappe.db.sql(query, {
 		"search": search,
commit	62c7deee00a8a61942c1434164a4597ce52e7594	[log] [tgz]
author	Saurabh <saurabh6790@gmail.com>	Thu May 11 18:03:12 2017 +0530
committer	Rushabh Mehta <rmehta@gmail.com>	Thu May 11 18:03:12 2017 +0530
tree	49b88774cc794f691bae495f8b8469bf27a98498
parent	fcefc601e09507facd430594307979db65f42650 [diff]