vassili/seitime-frappe
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

[fix] sql injection fix (#6390)

Browse source
This commit is contained in:
Saurabh 2018-11-05 10:51:57 +05:30 committed by Rushabh Mehta
parent e4d83fbc97
commit 856a721073
1 changed files with 1 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
frappe/model/db_query.py
View file

@ -192,8 +192,7 @@ class DatabaseQuery(object):
'''
sub_query_regex = re.compile("^.*[,();].*")
blacklisted_keywords = ['select', 'create', 'insert', 'delete', 'drop', 'update', 'case',
'from', 'group', 'order', 'by']
blacklisted_keywords = ['select', 'create', 'insert', 'delete', 'drop', 'update', 'case']
blacklisted_functions = ['concat', 'concat_ws', 'if', 'ifnull', 'nullif', 'coalesce',
'connection_id', 'current_user', 'database', 'last_insert_id', 'session_user',
'system_user', 'user', 'version']