odoo
/
odoo
2
0
Fork 0
Code Pull Requests Releases Activity

[FIX] SQLI 

bzr revid: fp@tinyerp.com-20100128192241-6xp4502kk00shrdx
This commit is contained in:
Fabien Pinckaers 2010-01-28 20:22:41 +01:00
parent 5f263cb9b0
commit 712389da82
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
bin/addons/base/ir/ir_sequence.py
View File

@ -70,9 +70,10 @@ class ir_sequence(osv.osv):
'sec': time.strftime('%S'),
}
def get_id(self, cr, uid, sequence_id, test='id=%s', context=None):
def get_id(self, cr, uid, sequence_id, test='id', context=None):
try:
cr.execute('SELECT id, number_next, prefix, suffix, padding FROM ir_sequence WHERE '+test+' AND active=%s FOR UPDATE', (sequence_id, True))
assert test in ('code','id')
cr.execute('SELECT id, number_next, prefix, suffix, padding FROM ir_sequence WHERE '+test+'=%s AND active=%s FOR UPDATE', (sequence_id, True))
res = cr.dictfetchone()
if res:
cr.execute('UPDATE ir_sequence SET number_next=number_next+number_increment WHERE id=%s AND active=%s', (res['id'], True))
@ -85,7 +86,7 @@ class ir_sequence(osv.osv):
return False
def get(self, cr, uid, code):
return self.get_id(cr, uid, code, test='code=%s')
return self.get_id(cr, uid, code, test='code')
ir_sequence()