fix: escape sql filters in credit report closes #24965

commit: 87b2a513228f9b6a88f76adc27d7be00c855ad0d [log] [tgz]
author: Ankush Menat <ankush@iwebnotes.com> Sat Apr 03 12:28:34 2021 +0530
committer: Ankush Menat <ankush@iwebnotes.com> Sat Apr 03 12:34:34 2021 +0530
tree: 85b1d52c87b1724f71067b14e1dd6728ada4034f
parent: 679177f9e08a2e86226967fcb9098629739574d0 [diff]
diff --git a/erpnext/selling/report/customer_credit_balance/customer_credit_balance.py b/erpnext/selling/report/customer_credit_balance/customer_credit_balance.py
index f396705..6fb7666 100644
--- a/erpnext/selling/report/customer_credit_balance/customer_credit_balance.py
+++ b/erpnext/selling/report/customer_credit_balance/customer_credit_balance.py

@@ -57,18 +57,18 @@
 	return columns
 
 def get_details(filters):
-	conditions = ""
 
+	sql_query = """SELECT
+						c.name, c.customer_name,
+						ccl.bypass_credit_limit_check,
+						c.is_frozen, c.disabled
+					FROM `tabCustomer` c, `tabCustomer Credit Limit` ccl
+					WHERE
+						c.name = ccl.parent
+						AND ccl.company = %(company)s"""
+
+	# customer filter is optional.
 	if filters.get("customer"):
-		conditions += " AND c.name = '" + filters.get("customer") + "'"
+		sql_query += " AND c.name = %(customer)s"
 
-	return frappe.db.sql("""SELECT
-			c.name, c.customer_name,
-			ccl.bypass_credit_limit_check,
-			c.is_frozen, c.disabled
-		FROM `tabCustomer` c, `tabCustomer Credit Limit` ccl
-		WHERE
-			c.name = ccl.parent
-			AND ccl.company = '{0}'
-			{1}
-	""".format( filters.get("company"),conditions), as_dict=1) #nosec
+	return frappe.db.sql(sql_query, filters, as_dict=1)
commit	87b2a513228f9b6a88f76adc27d7be00c855ad0d	[log] [tgz]
author	Ankush Menat <ankush@iwebnotes.com>	Sat Apr 03 12:28:34 2021 +0530
committer	Ankush Menat <ankush@iwebnotes.com>	Sat Apr 03 12:34:34 2021 +0530
tree	85b1d52c87b1724f71067b14e1dd6728ada4034f
parent	679177f9e08a2e86226967fcb9098629739574d0 [diff]