From 856a721073122a8e487a13ba50b97a8b90916e12 Mon Sep 17 00:00:00 2001 From: Saurabh Date: Mon, 5 Nov 2018 10:51:57 +0530 Subject: [PATCH] [fix] sql injection fix (#6390) --- frappe/model/db_query.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/frappe/model/db_query.py b/frappe/model/db_query.py index f2da6e0b31..d561517558 100644 --- a/frappe/model/db_query.py +++ b/frappe/model/db_query.py @@ -192,8 +192,7 @@ class DatabaseQuery(object): ''' sub_query_regex = re.compile("^.*[,();].*") - blacklisted_keywords = ['select', 'create', 'insert', 'delete', 'drop', 'update', 'case', - 'from', 'group', 'order', 'by'] + blacklisted_keywords = ['select', 'create', 'insert', 'delete', 'drop', 'update', 'case'] blacklisted_functions = ['concat', 'concat_ws', 'if', 'ifnull', 'nullif', 'coalesce', 'connection_id', 'current_user', 'database', 'last_insert_id', 'session_user', 'system_user', 'user', 'version']