schuetz3/schuetz3-erpnext
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[fix] injection

Browse Source
This commit is contained in:
Anand Doshi
2015-11-17 18:27:50 +05:30
parent 3667da1053
commit da79740cdf
11 changed files with 53 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
erpnext/projects/utils.py
View File

@@ -13,12 +13,12 @@ def get_time_log_list(doctype, txt, searchfield, start, page_len, filters):
@frappe.whitelist()
def query_task(doctype, txt, searchfield, start, page_len, filters):
from frappe.desk.reportview import build_match_conditions
search_string = "%%%s%%" % txt
order_by_string = "%s%%" % txt
match_conditions = build_match_conditions("Task")
match_conditions = ("and" + match_conditions) if match_conditions else ""
return frappe.db.sql("""select name, subject from `tabTask`
where (`%s` like %s or `subject` like %s) %s
order by
@@ -26,7 +26,7 @@ def query_task(doctype, txt, searchfield, start, page_len, filters):
case when `%s` like %s then 0 else 1 end,
`%s`,
subject
limit %s, %s""" %
(searchfield, "%s", "%s", match_conditions, "%s",
searchfield, "%s", searchfield, "%s", "%s"),
(search_string, search_string, order_by_string, order_by_string, start, page_len))
limit %s, %s""" %
(frappe.db.escape(searchfield), "%s", "%s", match_conditions, "%s",
frappe.db.escape(searchfield), "%s", frappe.db.escape(searchfield), "%s", "%s"),
(search_string, search_string, order_by_string, order_by_string, start, page_len))