From 2d57cf43ea2890e84482820ef2acd1e3bcfba4bb Mon Sep 17 00:00:00 2001
From: Xavier Morel <xmo@tinyerp.com>
Date: Tue, 23 Feb 2010 13:47:48 +0100
Subject: [PATCH] [fix] mrp: potential sql injection vector

bzr revid: xmo@tinyerp.com-20100223124748-a5llbwcm7or44rhu
---
 addons/mrp/mrp.py |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/addons/mrp/mrp.py b/addons/mrp/mrp.py
index 7cac4a8..15c02ab 100644
--- a/addons/mrp/mrp.py
+++ b/addons/mrp/mrp.py
@@ -216,7 +216,7 @@ class mrp_bom(osv.osv):
     def _check_recursion(self, cr, uid, ids):
         level = 500
         while len(ids):
-            cr.execute('select distinct bom_id from mrp_bom where id in ('+','.join(map(str,ids))+')')
+            cr.execute('select distinct bom_id from mrp_bom where id in %s', (tuple(ids),))
             ids = filter(None, map(lambda x:x[0], cr.fetchall()))
             if not level:
                 return False
-- 
1.7.10.4