Skip to content

SQL Injection from API? #15337

Open
Open
@wtfbrb

Description

@wtfbrb

If you go here: /api/resource/Item?fields=["name","group"] on any erpnext install you get an SQL syntax error which has me worried of what else can be done with some escaping...field names should probably be enclosed in ` either which way if this is not a security issue :)

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions