diff --git a/frappe/__init__.py b/frappe/__init__.py index 2062004296..6889e6316f 100644 --- a/frappe/__init__.py +++ b/frappe/__init__.py @@ -510,10 +510,11 @@ def make_property_setter(args): def get_application_home_page(user='Guest'): """get home page for user""" + roles = get_roles(user) hpl = db.sql("""select home_page from `tabDefault Home Page` where parent='Control Panel' - and role in ('%s') order by idx asc limit 1""" % "', '".join(get_roles(user))) + and role in (%s) order by idx asc limit 1""" % ", ".join(['%s']*len(roles)), roles) if hpl: return hpl[0][0] else: diff --git a/frappe/boot.py b/frappe/boot.py index bb2663cb1c..2470edd941 100644 --- a/frappe/boot.py +++ b/frappe/boot.py @@ -83,9 +83,9 @@ def load_conf_settings(bootinfo): if key in conf: bootinfo[key] = conf.get(key) def add_allowed_pages(bootinfo): - bootinfo.page_info = dict(frappe.db.sql("""select distinct - parent, modified from `tabPage Role` - where role in ('%s')""" % "', '".join(frappe.get_roles()))) + roles = frappe.get_roles() + bootinfo.page_info = dict(frappe.db.sql("""select distinct parent, modified from `tabPage Role` + where role in (%s)""" % ', '.join(['%s']*len(roles)), roles)) # pages where role is not set are also allowed bootinfo.page_info.update(dict(frappe.db.sql("""select parent, modified diff --git a/frappe/core/doctype/doctype/doctype.py b/frappe/core/doctype/doctype/doctype.py index f08c3c9c99..8bac02bc72 100644 --- a/frappe/core/doctype/doctype/doctype.py +++ b/frappe/core/doctype/doctype/doctype.py @@ -33,10 +33,9 @@ class DocType: if frappe.flags.in_import: return parent_list = frappe.db.sql("""SELECT parent - from tabDocField where fieldtype="Table" and options="%s" """ % self.doc.name) + from tabDocField where fieldtype="Table" and options=%s""", self.doc.name) for p in parent_list: - frappe.db.sql('''UPDATE tabDocType SET modified="%s" - WHERE `name`="%s"''' % (now(), p[0])) + frappe.db.sql('UPDATE tabDocType SET modified=%s WHERE `name`=%s', (now(), p[0])) def scrub_field_names(self): restricted = ('name','parent','idx','owner','creation','modified','modified_by', diff --git a/frappe/core/page/permission_manager/permission_manager.py b/frappe/core/page/permission_manager/permission_manager.py index d2f54da872..8d0b491865 100644 --- a/frappe/core/page/permission_manager/permission_manager.py +++ b/frappe/core/page/permission_manager/permission_manager.py @@ -22,10 +22,10 @@ def get_roles_and_doctypes(): def get_permissions(doctype=None, role=None): frappe.only_for("System Manager") return frappe.db.sql("""select * from tabDocPerm - where %s%s order by parent, permlevel, role""" % (\ - doctype and (" parent='%s'" % doctype) or "", - role and ((doctype and " and " or "") + " role='%s'" % role) or "", - ), as_dict=True) + where %s%s order by parent, permlevel, role""" % + (doctype and (" parent='%s'" % doctype.replace("'", "\'")) or "", + role and ((doctype and " and " or "") + " role='%s'" % role.replace("'", "\'")) or ""), + as_dict=True) @frappe.whitelist() def remove(doctype, name): diff --git a/frappe/model/__init__.py b/frappe/model/__init__.py index 2c12cf3878..8cb982a164 100644 --- a/frappe/model/__init__.py +++ b/frappe/model/__init__.py @@ -70,9 +70,7 @@ def delete_fields(args_dict, delete=0): # Delete the data / column only if delete is specified if not delete: continue - is_single = frappe.db.sql("select issingle from tabDocType where name = '%s'" % dt) - is_single = is_single and frappe.utils.cint(is_single[0][0]) or 0 - if is_single: + if frappe.db.get_value("DocType", dt, "issingle"): frappe.db.sql("""\ DELETE FROM `tabSingles` WHERE doctype=%s AND field IN (%s) diff --git a/frappe/model/bean.py b/frappe/model/bean.py index d7f62f3d55..120e7f6e8a 100644 --- a/frappe/model/bean.py +++ b/frappe/model/bean.py @@ -128,8 +128,8 @@ class Bean: conflict = True else: tmp = frappe.db.sql("""select modified, docstatus from `tab%s` - where name="%s" for update""" - % (self.doc.doctype, self.doc.name), as_dict=True) + where name=%s for update""" + % (self.doc.doctype, '%s'), self.doc.name), as_dict=True) if not tmp: frappe.msgprint("""This record does not exist. Please refresh.""", raise_exception=1) diff --git a/frappe/model/db_schema.py b/frappe/model/db_schema.py index e1183f9270..0538aa51db 100644 --- a/frappe/model/db_schema.py +++ b/frappe/model/db_schema.py @@ -95,7 +95,7 @@ class DbTable: """ get columns from docfields and custom fields """ - fl = frappe.db.sql("SELECT * FROM tabDocField WHERE parent = '%s'" % self.doctype, as_dict = 1) + fl = frappe.db.sql("SELECT * FROM tabDocField WHERE parent = %s", self.doctype, as_dict = 1) try: custom_fl = frappe.db.sql("""\ @@ -185,13 +185,15 @@ class DbTable: for col in self.add_index: # if index key not exists - if not frappe.db.sql("show index from `%s` where key_name = '%s'" % (self.name, col.fieldname)): + if not frappe.db.sql("show index from `%s` where key_name = %s" % + (self.name, '%s'), col.fieldname): frappe.db.sql("alter table `%s` add index `%s`(`%s`)" % (self.name, col.fieldname, col.fieldname)) for col in self.drop_index: if col.fieldname != 'name': # primary key # if index key exists - if frappe.db.sql("show index from `%s` where key_name = '%s'" % (self.name, col.fieldname)): + if frappe.db.sql("show index from `%s` where key_name = %s" % + (self.name, '%s'), col.fieldname): frappe.db.sql("alter table `%s` drop index `%s`" % (self.name, col.fieldname)) for col in self.set_default: diff --git a/frappe/model/doc.py b/frappe/model/doc.py index f8901f99f8..5df4d1d25a 100755 --- a/frappe/model/doc.py +++ b/frappe/model/doc.py @@ -748,7 +748,7 @@ def validate_name(doctype, name, case=None, merge=False): if case=='UPPER CASE': name = name.upper() name = name.strip() # no leading and trailing blanks - + return name def get_default_naming_series(doctype): diff --git a/frappe/model/meta.py b/frappe/model/meta.py index b74126353e..1668c49948 100644 --- a/frappe/model/meta.py +++ b/frappe/model/meta.py @@ -15,8 +15,8 @@ def is_single(doctype): def get_parent_dt(dt): parent_dt = frappe.db.sql("""select parent from tabDocField - where fieldtype="Table" and options="%s" and (parent not like "old_parent:%%") - limit 1""" % dt) + where fieldtype="Table" and options=%s and (parent not like "old_parent:%%") + limit 1""", dt) return parent_dt and parent_dt[0][0] or '' def set_fieldname(field_id, fieldname): @@ -40,12 +40,12 @@ def get_link_fields(doctype): ] def get_table_fields(doctype): - child_tables = [[d[0], d[1]] for d in frappe.db.sql("select options, fieldname from tabDocField \ - where parent='%s' and fieldtype='Table'" % doctype, as_list=1)] + child_tables = [[d[0], d[1]] for d in frappe.db.sql("""select options, fieldname + from tabDocField where parent=%s and fieldtype='Table'""", doctype, as_list=1)] try: - custom_child_tables = [[d[0], d[1]] for d in frappe.db.sql("select options, fieldname from `tabCustom Field` \ - where dt='%s' and fieldtype='Table'" % doctype, as_list=1)] + custom_child_tables = [[d[0], d[1]] for d in frappe.db.sql("""select options, fieldname + from `tabCustom Field` where dt=%s and fieldtype='Table'""", doctype, as_list=1)] except Exception, e: if e.args[0]!=1146: raise diff --git a/frappe/sessions.py b/frappe/sessions.py index 0299fee32b..668926db14 100644 --- a/frappe/sessions.py +++ b/frappe/sessions.py @@ -133,8 +133,8 @@ class Session: self.insert_session_record() # update user - frappe.db.sql("""UPDATE tabUser SET last_login = '%s', last_ip = '%s' - where name='%s'""" % (frappe.utils.now(), frappe.get_request_header('REMOTE_ADDR'), self.data['user'])) + frappe.db.sql("""UPDATE tabUser SET last_login = %s, last_ip = %s + where name=%s""", (frappe.utils.now(), frappe.get_request_header('REMOTE_ADDR'), self.data['user'])) frappe.db.commit() def insert_session_record(self): diff --git a/frappe/utils/nestedset.py b/frappe/utils/nestedset.py index 58697b36ab..0716e87e8e 100644 --- a/frappe/utils/nestedset.py +++ b/frappe/utils/nestedset.py @@ -70,19 +70,23 @@ def update_add_node(doc, parent, parent_field): % (doctype, "%s"), parent)[0] validate_loop(doc.doctype, doc.name, left, right) else: # root - right = frappe.db.sql("select ifnull(max(rgt),0)+1 from `tab%s` where ifnull(`%s`,'') =''" % (doctype, parent_field))[0][0] + right = frappe.db.sql("select ifnull(max(rgt),0)+1 from `tab%s` \ + where ifnull(`%s`,'') =''", (doctype, parent_field))[0][0] right = right or 1 # update all on the right - frappe.db.sql("update `tab%s` set rgt = rgt+2, modified='%s' where rgt >= %s" %(doctype,n,right)) - frappe.db.sql("update `tab%s` set lft = lft+2, modified='%s' where lft >= %s" %(doctype,n,right)) + frappe.db.sql("update `tab%s` set rgt = rgt+2, modified=%s where rgt >= %s" % + (doctype, '%s', '%s'), (n, right)) + frappe.db.sql("update `tab%s` set lft = lft+2, modified=%s where lft >= %s" % + (doctype, '%s', '%s'), (n, right)) # update index of new node if frappe.db.sql("select * from `tab%s` where lft=%s or rgt=%s"% (doctype, right, right+1)): frappe.msgprint("Nested set error. Please send mail to support") raise Exception - frappe.db.sql("update `tab%s` set lft=%s, rgt=%s, modified='%s' where name='%s'" % (doctype,right,right+1,n,name)) + frappe.db.sql("update `tab{0}` set lft=%s, rgt=%s, modified=%s where name=%s".format(doctype), + (right,right+1,n,name)) return right @@ -164,13 +168,15 @@ def rebuild_node(doctype, parent, left, parent_field): right = left+1 # get all children of this node - result = frappe.db.sql("SELECT name FROM `tab%s` WHERE `%s`='%s'" % (doctype, parent_field, parent)) + result = frappe.db.sql("SELECT name FROM `tab%s` WHERE `%s`=%s" % + (doctype, parent_field, '%s'), (parent)) for r in result: right = rebuild_node(doctype, r[0], right, parent_field) # we've got the left value, and now that we've processed # the children of this node we also know the right value - frappe.db.sql("UPDATE `tab%s` SET lft=%s, rgt=%s, modified='%s' WHERE name='%s'" % (doctype,left,right,n,parent)) + frappe.db.sql("""UPDATE `tab{0}` SET lft=%s, rgt=%s, modified=%s + WHERE name=%s""".format(doctype), (left,right,n,parent)) #return the right value of this node + 1 return right+1 diff --git a/frappe/widgets/event.py b/frappe/widgets/event.py index 2ec135cbcd..5239846ef4 100644 --- a/frappe/widgets/event.py +++ b/frappe/widgets/event.py @@ -11,19 +11,30 @@ def get_cal_events(m_st, m_end): import frappe.model.doc # load owned events - res1 = frappe.db.sql("select name from `tabEvent` WHERE ifnull(event_date,'2000-01-01') between '%s' and '%s' and owner = '%s' and event_type != 'Public' and event_type != 'Cancel'" % (m_st, m_end, frappe.user.name)) + res1 = frappe.db.sql("""select name from `tabEvent` + WHERE ifnull(event_date,'2000-01-01') between %s and %s and owner = %s + and event_type != 'Public' and event_type != 'Cancel'""", + (m_st, m_end, frappe.user.name)) # load individual events - res2 = frappe.db.sql("select t1.name from `tabEvent` t1, `tabEvent User` t2 where ifnull(t1.event_date,'2000-01-01') between '%s' and '%s' and t2.person = '%s' and t1.name = t2.parent and t1.event_type != 'Cancel'" % (m_st, m_end, frappe.user.name)) + res2 = frappe.db.sql("""select t1.name from `tabEvent` t1, `tabEvent User` t2 + where ifnull(t1.event_date,'2000-01-01') between %s and %s and t2.person = %s + and t1.name = t2.parent and t1.event_type != 'Cancel'""", + (m_st, m_end, frappe.user.name)) # load role events roles = frappe.user.get_roles() - myroles = ['t2.role = "%s"' % r for r in roles] + myroles = ['t2.role = "%s"' % r.replace('"', '\"') for r in roles] myroles = '(' + (' OR '.join(myroles)) + ')' - res3 = frappe.db.sql("select t1.name from `tabEvent` t1, `tabEvent Role` t2 where ifnull(t1.event_date,'2000-01-01') between '%s' and '%s' and t1.name = t2.parent and t1.event_type != 'Cancel' and %s" % (m_st, m_end, myroles)) + res3 = frappe.db.sql("""select t1.name from `tabEvent` t1, `tabEvent Role` t2 + where ifnull(t1.event_date,'2000-01-01') between %s and %s + and t1.name = t2.parent and t1.event_type != 'Cancel' and %s""" % + ('%s', '%s', myroles), (m_st, m_end)) # load public events - res4 = frappe.db.sql("select name from `tabEvent` where ifnull(event_date,'2000-01-01') between '%s' and '%s' and event_type='Public'" % (m_st, m_end)) + res4 = frappe.db.sql("select name from `tabEvent` \ + where ifnull(event_date,'2000-01-01') between %s and %s and event_type='Public'", + (m_st, m_end)) doclist, rl = [], [] for r in res1 + res2 + res3 + res4: diff --git a/frappe/widgets/query_builder.py b/frappe/widgets/query_builder.py index 44f2303f56..48da6a5908 100644 --- a/frappe/widgets/query_builder.py +++ b/frappe/widgets/query_builder.py @@ -20,7 +20,7 @@ def get_sql_tables(q): def get_parent_dt(dt): pdt = '' - if frappe.db.sql('select name from `tabDocType` where istable=1 and name="%s"' % dt): + if frappe.db.sql('select name from `tabDocType` where istable=1 and name=%s', dt): import frappe.model.meta return frappe.model.meta.get_parent_dt(dt) return pdt @@ -44,7 +44,8 @@ def get_sql_meta(tl): meta[dt]['parent'] = ('ID', 'Link', pdt, '200') # get the field properties from DocField - res = frappe.db.sql("select fieldname, label, fieldtype, options, width from tabDocField where parent='%s'" % dt) + res = frappe.db.sql("select fieldname, label, fieldtype, options, width \ + from tabDocField where parent=%s", dt) for r in res: if r[0]: meta[dt][r[0]] = (r[1], r[2], r[3], r[4]);