[fix] report_timesheet: replace string concatenation in sql query with sql parameteri...

[odoo/odoo.git] / addons / report_timesheet / report_timesheet.py

diff --git a/addons/report_timesheet/report_timesheet.py b/addons/report_timesheet/report_timesheet.py
index a5a5c8b..4ec51f9 100644 (file)
--- a/addons/report_timesheet/report_timesheet.py
+++ b/addons/report_timesheet/report_timesheet.py
@@ -194,11 +194,11 @@ class report_random_timsheet(osv.osv):
                 account_analytic_line line, hr_department dept,hr_department_user_rel dept_user
             where
                 (dept.id = dept_user.department_id AND dept_user.user_id=line.user_id AND line.user_id is not null)
-                AND (dept.manager_id = """ + str(uid) + """ ) 
+                AND (dept.manager_id = %s)
                 AND (line.date <= CURRENT_DATE AND line.date > (CURRENT_DATE-3))
             LIMIT 10
             )
-            """ )
+            """, (uid,))
 
 report_random_timsheet()