commit be1895fd08947ea27daa472c0e81a709c908541b
author NahuelOperto <Nahuel713.-@hotmail.com> Mon Jan 27 09:02:02 2020 -0300
committer NahuelOperto <Nahuel713.-@hotmail.com> Mon Jan 27 09:02:02 2020 -0300
tree 7c55104d7a9b9ab1dde13f4f04ead56a5afa5175
parent e009187e02bb1709c8c125de30cf02f1ee578070

Fix sql injection

erpnext/setup/doctype/item_group/item_group.py

diff --git a/erpnext/setup/doctype/item_group/item_group.py b/erpnext/setup/doctype/item_group/item_group.py
index 22375ae..9f25882 100644
--- a/erpnext/setup/doctype/item_group/item_group.py
+++ b/erpnext/setup/doctype/item_group/item_group.py
@@ -119,7 +119,7 @@
 				or I.name like %(search)s)"""
 		search = "%" + cstr(search) + "%"
 
-	query += """order by I.weightage desc, in_stock desc, I.modified desc limit %s, %s""" % (start, limit)
+	query += """order by I.weightage desc, in_stock desc, I.modified desc limit %s, %s""" % (cint(start), cint(limit))
 
 	data = frappe.db.sql(query, {"product_group": product_group,"search": search, "today": nowdate()}, as_dict=1)
 	data = adjust_qty_for_expired_items(data)