fix(sqli): Avoid SQL Injection with sender param (#16509)

commit: 9acb885e60f77cd4e9ea8c98bdc39c18abcac731 [log] [tgz]
author: Aditya Hase <aditya@adityahase.com> Tue Jan 29 10:52:37 2019 +0530
committer: Sagar Vora <sagar@resilient.tech> Tue Jan 29 10:52:37 2019 +0530
tree: 5662c2ebc166b2d64ee01357e62e76339b6d02b1
parent: 385e3bb28485240160cb650938f01dbda740dc8a [diff]
diff --git a/erpnext/templates/utils.py b/erpnext/templates/utils.py
index eb84bcc..8e14c06 100644
--- a/erpnext/templates/utils.py
+++ b/erpnext/templates/utils.py

@@ -16,7 +16,7 @@
 
 	customer = frappe.db.sql("""select distinct dl.link_name from `tabDynamic Link` dl
 		left join `tabContact` c on dl.parent=c.name where dl.link_doctype='Customer'
-		and c.email_id='{email_id}'""".format(email_id=sender))
+		and c.email_id = %s""", sender)
 
 	if not customer:
 		lead = frappe.db.get_value('Lead', dict(email_id=sender))
commit	9acb885e60f77cd4e9ea8c98bdc39c18abcac731	[log] [tgz]
author	Aditya Hase <aditya@adityahase.com>	Tue Jan 29 10:52:37 2019 +0530
committer	Sagar Vora <sagar@resilient.tech>	Tue Jan 29 10:52:37 2019 +0530
tree	5662c2ebc166b2d64ee01357e62e76339b6d02b1
parent	385e3bb28485240160cb650938f01dbda740dc8a [diff]