sql injection fixes

frappe/__init__.py

@@ -510,10 +510,11 @@ def make_property_setter(args):
 
 def get_application_home_page(user='Guest'):
 	"""get home page for user"""
+	roles = get_roles(user)
 	hpl = db.sql("""select home_page
 		from `tabDefault Home Page`
 		where parent='Control Panel'
-		and role in ('%s') order by idx asc limit 1""" % "', '".join(get_roles(user)))
+		and role in (%s) order by idx asc limit 1""" % ", ".join(['%s']*len(roles)), roles)
 	if hpl:
 		return hpl[0][0]
 	else:

frappe/boot.py

@@ -83,9 +83,9 @@ def load_conf_settings(bootinfo):
 		if key in conf: bootinfo[key] = conf.get(key)
 
 def add_allowed_pages(bootinfo):
-	bootinfo.page_info = dict(frappe.db.sql("""select distinct 
-		parent, modified from `tabPage Role`
-		where role in ('%s')""" % "', '".join(frappe.get_roles())))
+	roles = frappe.get_roles()
+	bootinfo.page_info = dict(frappe.db.sql("""select distinct parent, modified from `tabPage Role`
+		where role in (%s)""" % ', '.join(['%s']*len(roles)), roles))
 	
 	# pages where role is not set are also allowed
 	bootinfo.page_info.update(dict(frappe.db.sql("""select parent, modified

frappe/core/doctype/doctype/doctype.py

@@ -33,10 +33,9 @@ class DocType:
 		if frappe.flags.in_import:
 			return
 		parent_list = frappe.db.sql("""SELECT parent 
-			from tabDocField where fieldtype="Table" and options="%s" """ % self.doc.name)
+			from tabDocField where fieldtype="Table" and options=%s""", self.doc.name)
 		for p in parent_list:
-			frappe.db.sql('''UPDATE tabDocType SET modified="%s" 
-				WHERE `name`="%s"''' % (now(), p[0]))
+			frappe.db.sql('UPDATE tabDocType SET modified=%s WHERE `name`=%s', (now(), p[0]))
 
 	def scrub_field_names(self):
 		restricted = ('name','parent','idx','owner','creation','modified','modified_by',

frappe/core/page/permission_manager/permission_manager.py

@@ -22,10 +22,10 @@ def get_roles_and_doctypes():
 def get_permissions(doctype=None, role=None):
 	frappe.only_for("System Manager")
 	return frappe.db.sql("""select * from tabDocPerm
-		where %s%s order by parent, permlevel, role""" % (\
-			doctype and (" parent='%s'" % doctype) or "",
-			role and ((doctype and " and " or "") + " role='%s'" % role) or "",
-			), as_dict=True)
+		where %s%s order by parent, permlevel, role""" % 
+		(doctype and (" parent='%s'" % doctype.replace("'", "\'")) or "",
+		role and ((doctype and " and " or "") + " role='%s'" % role.replace("'", "\'")) or ""), 
+		as_dict=True)
 			
 @frappe.whitelist()
 def remove(doctype, name):

frappe/model/__init__.py

@@ -70,9 +70,7 @@ def delete_fields(args_dict, delete=0):
 		# Delete the data / column only if delete is specified
 		if not delete: continue
 		
-		is_single = frappe.db.sql("select issingle from tabDocType where name = '%s'" % dt)
-		is_single = is_single and frappe.utils.cint(is_single[0][0]) or 0
-		if is_single:
+		if frappe.db.get_value("DocType", dt, "issingle"):
 			frappe.db.sql("""\
 				DELETE FROM `tabSingles`
 				WHERE doctype=%s AND field IN (%s)

frappe/model/bean.py

@@ -128,8 +128,8 @@ class Bean:
 					conflict = True
 			else:
 				tmp = frappe.db.sql("""select modified, docstatus from `tab%s` 
-					where name="%s" for update"""
-					% (self.doc.doctype, self.doc.name), as_dict=True)
+					where name=%s for update"""
+					% (self.doc.doctype, '%s'), self.doc.name), as_dict=True)
 
 				if not tmp:
 					frappe.msgprint("""This record does not exist. Please refresh.""", raise_exception=1)

frappe/model/db_schema.py

@@ -95,7 +95,7 @@ class DbTable:
 		"""
 			get columns from docfields and custom fields
 		"""
-		fl = frappe.db.sql("SELECT * FROM tabDocField WHERE parent = '%s'" % self.doctype, as_dict = 1)
+		fl = frappe.db.sql("SELECT * FROM tabDocField WHERE parent = %s", self.doctype, as_dict = 1)
 		
 		try:
 			custom_fl = frappe.db.sql("""\
@@ -185,13 +185,15 @@ class DbTable:
 
 		for col in self.add_index:
 			# if index key not exists
-			if not frappe.db.sql("show index from `%s` where key_name = '%s'" % (self.name, col.fieldname)):
+			if not frappe.db.sql("show index from `%s` where key_name = %s" % 
+					(self.name, '%s'), col.fieldname):
 				frappe.db.sql("alter table `%s` add index `%s`(`%s`)" % (self.name, col.fieldname, col.fieldname))
 
 		for col in self.drop_index:
 			if col.fieldname != 'name': # primary key
 				# if index key exists
-				if frappe.db.sql("show index from `%s` where key_name = '%s'" % (self.name, col.fieldname)):
+				if frappe.db.sql("show index from `%s` where key_name = %s" % 
+						(self.name, '%s'), col.fieldname):
 					frappe.db.sql("alter table `%s` drop index `%s`" % (self.name, col.fieldname))
 
 		for col in self.set_default:

frappe/model/doc.py

@@ -748,7 +748,7 @@ def validate_name(doctype, name, case=None, merge=False):
 	if case=='UPPER CASE': name = name.upper()
 	
 	name = name.strip() # no leading and trailing blanks
-	
+
 	return name
 	
 def get_default_naming_series(doctype):

frappe/model/meta.py

@@ -15,8 +15,8 @@ def is_single(doctype):
 
 def get_parent_dt(dt):
 	parent_dt = frappe.db.sql("""select parent from tabDocField 
-		where fieldtype="Table" and options="%s" and (parent not like "old_parent:%%") 
-		limit 1""" % dt)
+		where fieldtype="Table" and options=%s and (parent not like "old_parent:%%") 
+		limit 1""", dt)
 	return parent_dt and parent_dt[0][0] or ''
 
 def set_fieldname(field_id, fieldname):
@@ -40,12 +40,12 @@ def get_link_fields(doctype):
 	]
 
 def get_table_fields(doctype):
-	child_tables = [[d[0], d[1]] for d in frappe.db.sql("select options, fieldname from tabDocField \
-		where parent='%s' and fieldtype='Table'" % doctype, as_list=1)]
+	child_tables = [[d[0], d[1]] for d in frappe.db.sql("""select options, fieldname 
+		from tabDocField where parent=%s and fieldtype='Table'""", doctype, as_list=1)]
 	
 	try:
-		custom_child_tables = [[d[0], d[1]] for d in frappe.db.sql("select options, fieldname from `tabCustom Field` \
-			where dt='%s' and fieldtype='Table'" % doctype, as_list=1)]
+		custom_child_tables = [[d[0], d[1]] for d in frappe.db.sql("""select options, fieldname 
+			from `tabCustom Field` where dt=%s and fieldtype='Table'""", doctype, as_list=1)]
 	except Exception, e:
 		if e.args[0]!=1146:
 			raise

frappe/sessions.py

@@ -133,8 +133,8 @@ class Session:
 			self.insert_session_record()
 
 			# update user
-			frappe.db.sql("""UPDATE tabUser SET last_login = '%s', last_ip = '%s' 
-				where name='%s'""" % (frappe.utils.now(), frappe.get_request_header('REMOTE_ADDR'), self.data['user']))
+			frappe.db.sql("""UPDATE tabUser SET last_login = %s, last_ip = %s 
+				where name=%s""", (frappe.utils.now(), frappe.get_request_header('REMOTE_ADDR'), self.data['user']))
 			frappe.db.commit()		
 
 	def insert_session_record(self):

frappe/utils/nestedset.py

@@ -70,19 +70,23 @@ def update_add_node(doc, parent, parent_field):
 			% (doctype, "%s"), parent)[0]
 		validate_loop(doc.doctype, doc.name, left, right)
 	else: # root
-		right = frappe.db.sql("select ifnull(max(rgt),0)+1 from `tab%s` where ifnull(`%s`,'') =''" % (doctype, parent_field))[0][0]
+		right = frappe.db.sql("select ifnull(max(rgt),0)+1 from `tab%s` \
+			where ifnull(`%s`,'') =''", (doctype, parent_field))[0][0]
 	right = right or 1
 		
 	# update all on the right
-	frappe.db.sql("update `tab%s` set rgt = rgt+2, modified='%s' where rgt >= %s" %(doctype,n,right))
-	frappe.db.sql("update `tab%s` set lft = lft+2, modified='%s' where lft >= %s" %(doctype,n,right))
+	frappe.db.sql("update `tab%s` set rgt = rgt+2, modified=%s where rgt >= %s" % 
+		(doctype, '%s', '%s'), (n, right))
+	frappe.db.sql("update `tab%s` set lft = lft+2, modified=%s where lft >= %s" % 
+		(doctype, '%s', '%s'), (n, right))
 	
 	# update index of new node
 	if frappe.db.sql("select * from `tab%s` where lft=%s or rgt=%s"% (doctype, right, right+1)):
 		frappe.msgprint("Nested set error. Please send mail to support")
 		raise Exception
 
-	frappe.db.sql("update `tab%s` set lft=%s, rgt=%s, modified='%s' where name='%s'" % (doctype,right,right+1,n,name))
+	frappe.db.sql("update `tab{0}` set lft=%s, rgt=%s, modified=%s where name=%s".format(doctype), 
+		(right,right+1,n,name))
 	return right
 
 
@@ -164,13 +168,15 @@ def rebuild_node(doctype, parent, left, parent_field):
 	right = left+1	
 
 	# get all children of this node
-	result = frappe.db.sql("SELECT name FROM `tab%s` WHERE `%s`='%s'" % (doctype, parent_field, parent))
+	result = frappe.db.sql("SELECT name FROM `tab%s` WHERE `%s`=%s" % 
+		(doctype, parent_field, '%s'), (parent))
 	for r in result:
 		right = rebuild_node(doctype, r[0], right, parent_field)
 
 	# we've got the left value, and now that we've processed
 	# the children of this node we also know the right value
-	frappe.db.sql("UPDATE `tab%s` SET lft=%s, rgt=%s, modified='%s' WHERE name='%s'" % (doctype,left,right,n,parent))
+	frappe.db.sql("""UPDATE `tab{0}` SET lft=%s, rgt=%s, modified=%s 
+		WHERE name=%s""".format(doctype), (left,right,n,parent))
 
 	#return the right value of this node + 1
 	return right+1

frappe/widgets/event.py

@@ -11,19 +11,30 @@ def get_cal_events(m_st, m_end):
 	import frappe.model.doc
 	
 	# load owned events
-	res1 = frappe.db.sql("select name from `tabEvent` WHERE ifnull(event_date,'2000-01-01') between '%s' and '%s' and owner = '%s' and event_type != 'Public' and event_type != 'Cancel'" % (m_st, m_end, frappe.user.name))
+	res1 = frappe.db.sql("""select name from `tabEvent` 
+		WHERE ifnull(event_date,'2000-01-01') between %s and %s and owner = %s 
+		and event_type != 'Public' and event_type != 'Cancel'""", 
+		(m_st, m_end, frappe.user.name))
 
 	# load individual events
-	res2 = frappe.db.sql("select t1.name from `tabEvent` t1, `tabEvent User` t2 where ifnull(t1.event_date,'2000-01-01') between '%s' and '%s' and t2.person = '%s' and t1.name = t2.parent and t1.event_type != 'Cancel'" % (m_st, m_end, frappe.user.name))
+	res2 = frappe.db.sql("""select t1.name from `tabEvent` t1, `tabEvent User` t2 
+		where ifnull(t1.event_date,'2000-01-01') between %s and %s and t2.person = %s 
+		and t1.name = t2.parent and t1.event_type != 'Cancel'""", 
+		(m_st, m_end, frappe.user.name))
 
 	# load role events
 	roles = frappe.user.get_roles()
-	myroles = ['t2.role = "%s"' % r for r in roles]
+	myroles = ['t2.role = "%s"' % r.replace('"', '\"') for r in roles]
 	myroles = '(' + (' OR '.join(myroles)) + ')'
-	res3 = frappe.db.sql("select t1.name from `tabEvent` t1, `tabEvent Role` t2  where ifnull(t1.event_date,'2000-01-01') between '%s' and '%s' and t1.name = t2.parent and t1.event_type != 'Cancel' and %s" % (m_st, m_end, myroles))
+	res3 = frappe.db.sql("""select t1.name from `tabEvent` t1, `tabEvent Role` t2  
+		where ifnull(t1.event_date,'2000-01-01') between %s and %s 
+		and t1.name = t2.parent and t1.event_type != 'Cancel' and %s""" % 
+		('%s', '%s', myroles), (m_st, m_end))
 	
 	# load public events
-	res4 = frappe.db.sql("select name from `tabEvent` where ifnull(event_date,'2000-01-01') between '%s' and '%s' and event_type='Public'" % (m_st, m_end))
+	res4 = frappe.db.sql("select name from `tabEvent` \
+		where ifnull(event_date,'2000-01-01') between %s and %s and event_type='Public'", 
+		(m_st, m_end))
 	
 	doclist, rl = [], []
 	for r in res1 + res2 + res3 + res4:

frappe/widgets/query_builder.py

@@ -20,7 +20,7 @@ def get_sql_tables(q):
 
 def get_parent_dt(dt):
 	pdt = ''
-	if frappe.db.sql('select name from `tabDocType` where istable=1 and name="%s"' % dt):
+	if frappe.db.sql('select name from `tabDocType` where istable=1 and name=%s', dt):
 		import frappe.model.meta
 		return frappe.model.meta.get_parent_dt(dt)
 	return pdt
@@ -44,7 +44,8 @@ def get_sql_meta(tl):
 			meta[dt]['parent'] = ('ID', 'Link', pdt, '200')
 
 		# get the field properties from DocField
-		res = frappe.db.sql("select fieldname, label, fieldtype, options, width from tabDocField where parent='%s'" % dt)
+		res = frappe.db.sql("select fieldname, label, fieldtype, options, width \
+			from tabDocField where parent=%s", dt)
 		for r in res:
 			if r[0]:
 				meta[dt][r[0]] = (r[1], r[2], r[3], r[4]);