[hotfix] prevent multiple sql queries
This commit is contained in:
Anand Doshi
parent
b77510c8c1
commit
5cdc71bae9
2 changed files with 27 additions and 0 deletions
|
|
@ -81,6 +81,9 @@ class Database:
|
|||
# in transaction validations
|
||||
self.check_transaction_status(query)
|
||||
|
||||
# prevent multiple queries in one
|
||||
self.prevent_multiple_queries(query)
|
||||
|
||||
# autocommit
|
||||
if auto_commit: self.commit()
|
||||
|
||||
|
|
@ -559,3 +562,23 @@ class Database:
|
|||
if isinstance(s, unicode):
|
||||
s = (s or "").encode("utf-8")
|
||||
return unicode(MySQLdb.escape_string(s), "utf-8")
|
||||
|
||||
def prevent_multiple_queries(self, query):
|
||||
if frappe.flags.in_install_db or frappe.flags.in_install:
|
||||
return
|
||||
|
||||
query_lower = query.lower().split(";")
|
||||
|
||||
if len(query_lower) > 1:
|
||||
for q in query_lower[1:]:
|
||||
if q.strip() and q.strip().split()[0] in (
|
||||
"update",
|
||||
"truncate",
|
||||
"alter",
|
||||
"drop",
|
||||
"create",
|
||||
"begin",
|
||||
"start transaction",
|
||||
"commit"
|
||||
):
|
||||
frappe.throw(_("Cannot have more than one SQL statement in a query."), frappe.SQLError)
|
||||
|
|
|
|||
|
|
@ -19,3 +19,7 @@ class TestDB(unittest.TestCase):
|
|||
|
||||
def test_escape(self):
|
||||
frappe.db.escape("香港濟生堂製藥有限公司 - IT".encode("utf-8"))
|
||||
|
||||
def test_multiple_queries(self):
|
||||
# implicit commit
|
||||
self.assertRaises(frappe.SQLError, frappe.db.sql, """select name from `tabUser`; truncate `tabBulk Email`""")
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue