Avoid possible sql injection in bi_view_editor

2017-03-17 13:55:31 +01:00 · 2017-03-17 13:55:31 +01:00 · a04ed55922
parent c16e15ed08
commit a04ed55922
1 changed files with 2 additions and 3 deletions
--- a/bi_view_editor/models/ir_model.py
+++ b/bi_view_editor/models/ir_model.py
@ -280,9 +280,8 @@ class IrModel(models.Model):
        # this sql update is necessary since a write method here would
        # be not working (an orm constraint is restricting the modification
        # of the state field while updating ir.model)
-        q = ("""UPDATE ir_model SET state = 'manual'
-               WHERE id = """ + str(res.id))
-        self.env.cr.execute(q)
+        q = "UPDATE ir_model SET state = 'manual' WHERE id = %s"
+        self.env.cr.execute(q, (res.id, ))

        # # update registry
        if self._context.get('bve'):