From ad412de054ec64ddee9c4b506e1d96d3d8032efd Mon Sep 17 00:00:00 2001 From: Faris Ansari Date: Thu, 11 Jan 2018 15:00:35 +0530 Subject: [PATCH 1/2] Escape name in sql query --- frappe/model/naming.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/frappe/model/naming.py b/frappe/model/naming.py index 6ccc5a0a19..b257db40a9 100644 --- a/frappe/model/naming.py +++ b/frappe/model/naming.py @@ -199,11 +199,14 @@ def _set_amended_name(doc): def append_number_if_name_exists(doctype, name, fieldname='name', separator='-'): if frappe.db.exists(doctype, name): + # should be escaped 2 times since + # python string will parse the first escape + escaped_name = re.escape(re.escape(name)) last = frappe.db.sql("""select name from `tab{doctype}` where {fieldname} regexp '^{name}{separator}[[:digit:]]+' order by length({fieldname}) desc, {fieldname} desc limit 1""".format(doctype=doctype, - name=name, fieldname=fieldname, separator=separator)) + name=escaped_name, fieldname=fieldname, separator=separator), debug=1) if last: count = str(cint(last[0][0].rsplit("-", 1)[1]) + 1) From 9dc43f85ce826a83d85bb668390a6c652e470dc0 Mon Sep 17 00:00:00 2001 From: Faris Ansari Date: Thu, 11 Jan 2018 15:02:19 +0530 Subject: [PATCH 2/2] minor --- frappe/model/naming.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/frappe/model/naming.py b/frappe/model/naming.py index b257db40a9..10cd6848ce 100644 --- a/frappe/model/naming.py +++ b/frappe/model/naming.py @@ -206,7 +206,7 @@ def append_number_if_name_exists(doctype, name, fieldname='name', separator='-') where {fieldname} regexp '^{name}{separator}[[:digit:]]+' order by length({fieldname}) desc, {fieldname} desc limit 1""".format(doctype=doctype, - name=escaped_name, fieldname=fieldname, separator=separator), debug=1) + name=escaped_name, fieldname=fieldname, separator=separator)) if last: count = str(cint(last[0][0].rsplit("-", 1)[1]) + 1)