[IMP]:POS module sql queries to parameterized query

bzr revid: nch@tinyerp.com-20091124123107-t32wdpt4powu4ldq

addons/point_of_sale/pos.py

@@ -59,7 +59,6 @@ class pos_order(osv.osv):
         return {'value': {'pricelist_id': pricelist}}
 
     def _amount_total(self, cr, uid, ids, field_name, arg, context):
-        id_set = ",".join(map(str, ids))
         cr.execute("""
         SELECT
             p.id,
@@ -68,9 +67,8 @@ class pos_order(osv.osv):
                 ) AS amount
         FROM pos_order p
             LEFT OUTER JOIN pos_order_line l ON (p.id=l.order_id)
-        WHERE p.id IN (""" + id_set +""") GROUP BY p.id """)
+        WHERE p.id =ANY(%s) GROUP BY p.id """,(ids,))
         res = dict(cr.fetchall())
-
         for rec in self.browse(cr, uid, ids, context):
             if rec.partner_id \
                and rec.partner_id.property_account_position \
@@ -112,8 +110,7 @@ class pos_order(osv.osv):
         return res
 
     def payment_get(self, cr, uid, ids, context=None):
-        cr.execute("select id from pos_payment where order_id in (%s)" % \
-                    ','.join([str(i) for i in ids]))
+        cr.execute("select id from pos_payment where order_id =ANY(%s)",(ids,))
         return [i[0] for i in cr.fetchall()]
 
     def _sale_journal_get(self, cr, uid, context):

addons/point_of_sale/report/pos_lines.py

@@ -47,7 +47,7 @@ class pos_lines(report_sxw.rml_parse):
                               " LEFT JOIN pos_order_line as pol ON po.id = pol.order_id " \
                               " LEFT JOIN product_taxes_rel as ptr ON pol.product_id = ptr.prod_id " \
                               " LEFT JOIN account_tax as acct ON acct.id = ptr.tax_id " \
-                              " WHERE pol.id = %d" %(obj.id))
+                              " WHERE pol.id = %s" ,(obj.id,))
         res=self.cr.fetchone()[0]
         return res