Remove sql injection problem
lp bug: https://launchpad.net/bugs/429327 fixed bzr revid: hda@tinyerp.com-20091021072533-1p0q91xcxoj51k1n
This commit is contained in:
parent
b7f6bc4c8e
commit
8c64e3c18b
|
@ -106,7 +106,7 @@ class ir_translation(osv.osv):
|
|||
'where lang=%s ' \
|
||||
'and type=%s ' \
|
||||
'and name=%s ' \
|
||||
'and res_id in ('+','.join(map(str,ids))+')',
|
||||
'and res_id in ('+','.join(map(str, ids))+')',
|
||||
(lang,tt,name))
|
||||
cr.commit()
|
||||
for id in ids:
|
||||
|
|
|
@ -65,7 +65,7 @@ class module_category(osv.osv):
|
|||
_description = "Module Category"
|
||||
|
||||
def _module_nbr(self,cr,uid, ids, prop, unknow_none,context):
|
||||
cr.execute('select category_id,count(*) from ir_module_module where category_id in ('+','.join(map(str,ids))+') or category_id in (select id from ir_module_category where parent_id in ('+','.join(map(str,ids))+')) group by category_id')
|
||||
cr.execute('select category_id,count(*) from ir_module_module where category_id in ('+','.join(map(str, ids))+') or category_id in (select id from ir_module_category where parent_id in ('+','.join(map(str, ids))+')) group by category_id')
|
||||
result = dict(cr.fetchall())
|
||||
for id in ids:
|
||||
cr.execute('select id from ir_module_category where parent_id=%s', (id,))
|
||||
|
|
|
@ -58,7 +58,7 @@ class ir_property(osv.osv):
|
|||
}
|
||||
def unlink(self, cr, uid, ids, context={}):
|
||||
if ids:
|
||||
cr.execute('delete from ir_model_fields where id in (select fields_id from ir_property where (fields_id is not null) and (id in ('+','.join(map(str,ids))+')))')
|
||||
cr.execute('delete from ir_model_fields where id in (select fields_id from ir_property where (fields_id is not null) and (id in ('+','.join(map(str, ids))+')))')
|
||||
res = super(ir_property, self).unlink(cr, uid, ids, context)
|
||||
return res
|
||||
|
||||
|
|
|
@ -70,7 +70,7 @@ class res_partner_category(osv.osv):
|
|||
def _check_recursion(self, cr, uid, ids):
|
||||
level = 100
|
||||
while len(ids):
|
||||
cr.execute('select distinct parent_id from res_partner_category where id in ('+','.join(map(str,ids))+')')
|
||||
cr.execute('select distinct parent_id from res_partner_category where id in ('+','.join(map(str, ids))+')')
|
||||
ids = filter(None, map(lambda x:x[0], cr.fetchall()))
|
||||
if not level:
|
||||
return False
|
||||
|
@ -234,7 +234,7 @@ class res_partner(osv.osv):
|
|||
return True
|
||||
|
||||
def address_get(self, cr, uid, ids, adr_pref=['default']):
|
||||
cr.execute('select type,id from res_partner_address where partner_id in ('+','.join(map(str,ids))+')')
|
||||
cr.execute('select type,id from res_partner_address where partner_id in ('+','.join(map(str,map(int, ids)))+')')
|
||||
res = cr.fetchall()
|
||||
adr = dict(res)
|
||||
# get the id of the (first) default address if there is one,
|
||||
|
|
|
@ -93,7 +93,7 @@ class res_company(osv.osv):
|
|||
def _check_recursion(self, cr, uid, ids):
|
||||
level = 100
|
||||
while len(ids):
|
||||
cr.execute('select distinct parent_id from res_company where id in ('+','.join(map(str,ids))+')')
|
||||
cr.execute('select distinct parent_id from res_company where id in ('+','.join(map(str, ids))+')')
|
||||
ids = filter(None, map(lambda x:x[0], cr.fetchall()))
|
||||
if not level:
|
||||
return False
|
||||
|
|
Loading…
Reference in New Issue