fix(patch): escape illegal characters to avoid SQL syntax error (#17889)

2019-06-10 17:38:42 +05:30
parent cd2938e2d0
commit 4bc86c7e9d
1 changed files with 1 additions and 1 deletions
--- a/erpnext/patches/v11_0/update_total_qty_field.py
+++ b/erpnext/patches/v11_0/update_total_qty_field.py
@@ -40,7 +40,7 @@ def execute():
 			# This is probably never used anywhere else as of now, but should be
 			values = []
 			for d in batch_transactions:
-				values.append("('{}', {})".format(d.parent, d.qty))
+				values.append("('{}', {})".format(frappe.db.escape(d.parent), d.qty))
 			conditions = ",".join(values)
 			frappe.db.sql("""
 				INSERT INTO `tab{}` (name, total_qty) VALUES {}