From c5c1b9d9dde70b9e4fe6ffddc49cc16d76c1f392 Mon Sep 17 00:00:00 2001 From: Anand Doshi Date: Tue, 12 May 2015 14:48:16 -0700 Subject: [PATCH] [hotfix] use sqlparse to prevent multiple sql queries --- frappe/database.py | 28 ++++++++-------------------- requirements.txt | 1 + 2 files changed, 9 insertions(+), 20 deletions(-) diff --git a/frappe/database.py b/frappe/database.py index d5c8d77fee..f218791726 100644 --- a/frappe/database.py +++ b/frappe/database.py @@ -14,6 +14,7 @@ import re import frappe.model.meta from frappe.utils import now, get_datetime from frappe import _ +import sqlparse class Database: """ @@ -181,6 +182,13 @@ class Database: else: frappe.throw(_("Too many writes in one request. Please send smaller requests"), frappe.ValidationError) + def prevent_multiple_queries(self, query): + if frappe.flags.in_install_db or frappe.flags.in_install: + return + + if ";" in query and len(sqlparse.parse(query)) > 1: + frappe.throw(_("Cannot have more than one SQL statement in a query."), frappe.SQLError) + def fetch_as_dict(self, formatted=0, as_utf8=0): result = self._cursor.fetchall() ret = [] @@ -562,23 +570,3 @@ class Database: if isinstance(s, unicode): s = (s or "").encode("utf-8") return unicode(MySQLdb.escape_string(s), "utf-8") - - def prevent_multiple_queries(self, query): - if frappe.flags.in_install_db or frappe.flags.in_install: - return - - query_lower = query.lower().split(";") - - if len(query_lower) > 1: - for q in query_lower[1:]: - if q.strip() and q.strip().split()[0] in ( - "update", - "truncate", - "alter", - "drop", - "create", - "begin", - "start transaction", - "commit" - ): - frappe.throw(_("Cannot have more than one SQL statement in a query."), frappe.SQLError) diff --git a/requirements.txt b/requirements.txt index 89ce2dd125..32a57beaff 100644 --- a/requirements.txt +++ b/requirements.txt @@ -25,3 +25,4 @@ pdfkit babel ipython click +sqlparse