[hotfix] use sqlparse to prevent multiple sql queries

frappe/database.py

@@ -14,6 +14,7 @@ import re
 import frappe.model.meta
 from frappe.utils import now, get_datetime
 from frappe import _
+import sqlparse
 
 class Database:
 	"""
@@ -181,6 +182,13 @@ class Database:
 				else:
 					frappe.throw(_("Too many writes in one request. Please send smaller requests"), frappe.ValidationError)
 
+	def prevent_multiple_queries(self, query):
+		if frappe.flags.in_install_db or frappe.flags.in_install:
+			return
+
+		if ";" in query and len(sqlparse.parse(query)) > 1:
+			frappe.throw(_("Cannot have more than one SQL statement in a query."), frappe.SQLError)
+
 	def fetch_as_dict(self, formatted=0, as_utf8=0):
 		result = self._cursor.fetchall()
 		ret = []
@@ -562,23 +570,3 @@ class Database:
 		if isinstance(s, unicode):
 			s = (s or "").encode("utf-8")
 		return unicode(MySQLdb.escape_string(s), "utf-8")
-
-	def prevent_multiple_queries(self, query):
-		if frappe.flags.in_install_db or frappe.flags.in_install:
-			return
-
-		query_lower = query.lower().split(";")
-
-		if len(query_lower) > 1:
-			for q in query_lower[1:]:
-				if q.strip() and q.strip().split()[0] in (
-					"update",
-					"truncate",
-					"alter",
-					"drop",
-					"create",
-					"begin",
-					"start transaction",
-					"commit"
-				):
-					frappe.throw(_("Cannot have more than one SQL statement in a query."), frappe.SQLError)

requirements.txt

@@ -25,3 +25,4 @@ pdfkit
 babel
 ipython
 click
+sqlparse