[hotfix] use sqlparse to prevent multiple sql queries
This commit is contained in:
Anand Doshi
parent
1bbbd24068
commit
c5c1b9d9dd
2 changed files with 9 additions and 20 deletions
|
|
@ -14,6 +14,7 @@ import re
|
|||
import frappe.model.meta
|
||||
from frappe.utils import now, get_datetime
|
||||
from frappe import _
|
||||
import sqlparse
|
||||
|
||||
class Database:
|
||||
"""
|
||||
|
|
@ -181,6 +182,13 @@ class Database:
|
|||
else:
|
||||
frappe.throw(_("Too many writes in one request. Please send smaller requests"), frappe.ValidationError)
|
||||
|
||||
def prevent_multiple_queries(self, query):
|
||||
if frappe.flags.in_install_db or frappe.flags.in_install:
|
||||
return
|
||||
|
||||
if ";" in query and len(sqlparse.parse(query)) > 1:
|
||||
frappe.throw(_("Cannot have more than one SQL statement in a query."), frappe.SQLError)
|
||||
|
||||
def fetch_as_dict(self, formatted=0, as_utf8=0):
|
||||
result = self._cursor.fetchall()
|
||||
ret = []
|
||||
|
|
@ -562,23 +570,3 @@ class Database:
|
|||
if isinstance(s, unicode):
|
||||
s = (s or "").encode("utf-8")
|
||||
return unicode(MySQLdb.escape_string(s), "utf-8")
|
||||
|
||||
def prevent_multiple_queries(self, query):
|
||||
if frappe.flags.in_install_db or frappe.flags.in_install:
|
||||
return
|
||||
|
||||
query_lower = query.lower().split(";")
|
||||
|
||||
if len(query_lower) > 1:
|
||||
for q in query_lower[1:]:
|
||||
if q.strip() and q.strip().split()[0] in (
|
||||
"update",
|
||||
"truncate",
|
||||
"alter",
|
||||
"drop",
|
||||
"create",
|
||||
"begin",
|
||||
"start transaction",
|
||||
"commit"
|
||||
):
|
||||
frappe.throw(_("Cannot have more than one SQL statement in a query."), frappe.SQLError)
|
||||
|
|
|
|||
|
|
@ -25,3 +25,4 @@ pdfkit
|
|||
babel
|
||||
ipython
|
||||
click
|
||||
sqlparse
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue