odoo
/
odoo
2
0
Fork 0
Code Pull Requests Releases Activity

[FIX] avoid sql injection in sequences 

bzr revid: vra@tinyerp.com-20100512083656-bc30l9o5rbn5lh3w
This commit is contained in:
Christophe Simonis 2010-05-12 14:06:56 +05:30 committed by vra
parent d2faa2990a
commit 97f81a14e5
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
addons/account/sequence.py
View File

@ -42,7 +42,9 @@ class ir_sequence(osv.osv):
_columns = {
'fiscal_ids' : fields.one2many('account.sequence.fiscalyear', 'sequence_main_id', 'Sequences')
}
def get_id(self, cr, uid, sequence_id, test='id', context={}):
def get_id(self, cr, uid, sequence_id, test='id', context={}):
if test not in ('id=%s', 'code=%s'):
raise ValueError('invalid test')
cr.execute('select id from ir_sequence where '+test+'=%s and active=%s', (sequence_id, True,))
res = cr.dictfetchone()
if res: