odoo
/
odoo
2
0
Fork 0
Code Pull Requests Releases Activity

[FIX]Prevent sql injection² 

bzr revid: dle@openerp.com-20121218102501-mguye0rnkl0yjgm1
This commit is contained in:
dle@openerp.com 2012-12-18 11:25:01 +01:00
parent 9e0df9b5d1
commit 4a07e497da
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
addons/l10n_be_coda/wizard/account_coda_import.py
View File

@ -92,9 +92,9 @@ class account_coda_import(osv.osv_memory):
statement['journal_id'] = False
statement['bank_account'] = False
if len(statement['acc_number']) >= 12:
cr.execute("select id from res_partner_bank where replace(acc_number,' ','') like '%%%s%%'" % statement['acc_number'])
cr.execute("select id from res_partner_bank where replace(acc_number,' ','') like %s", ('%' + statement['acc_number'] + '%',))
else:
cr.execute("select id from res_partner_bank where replace(acc_number,' ','') = '%s'" % statement['acc_number'])
cr.execute("select id from res_partner_bank where replace(acc_number,' ','') = %s", (statement['acc_number'],))
bank_ids = [id[0] for id in cr.fetchall()]
if bank_ids and len(bank_ids) > 0:
bank_accs = self.pool.get('res.partner.bank').browse(cr, uid, bank_ids)