From 50b80c89a2d50f6eebadff14f8c68c3efbb0a068 Mon Sep 17 00:00:00 2001
From: Anand Doshi <anand@erpnext.com>
Date: Tue, 12 May 2015 14:30:35 -0700
Subject: [PATCH] [fix] use sqlparse to ensure only one query is executed in
 frappe.db.sql

---
 frappe/database.py | 18 +++---------------
 requirements.txt   |  1 +
 2 files changed, 4 insertions(+), 15 deletions(-)

diff --git a/frappe/database.py b/frappe/database.py
index 59ffb9c27d..f09c3d6e6d 100644
--- a/frappe/database.py
+++ b/frappe/database.py
@@ -17,6 +17,7 @@ import frappe.model.meta
 from frappe.utils import now, get_datetime, cstr
 from frappe import _
 from types import StringType, UnicodeType
+import sqlparse
 
 class Database:
 	"""
@@ -220,21 +221,8 @@ class Database:
 		if frappe.flags.in_install_db or frappe.flags.in_install:
 			return
 
-		query_lower = query.lower().split(";")
-
-		if len(query_lower) > 1:
-			for q in query_lower[1:]:
-				if q.strip() and q.strip().split()[0] in (
-					"update",
-					"truncate",
-					"alter",
-					"drop",
-					"create",
-					"begin",
-					"start transaction",
-					"commit"
-				):
-					frappe.throw(_("Cannot have more than one SQL statement in a query."), frappe.SQLError)
+		if ";" in query and len(sqlparse.parse(query)) > 1:
+			frappe.throw(_("Cannot have more than one SQL statement in a query."), frappe.SQLError)
 
 	def fetch_as_dict(self, formatted=0, as_utf8=0):
 		"""Internal. Converts results to dict."""
diff --git a/requirements.txt b/requirements.txt
index ba31f3ce9d..2687cdd6d8 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -28,3 +28,4 @@ html2text
 email_reply_parser
 click
 num2words
+sqlparse