From a04ed55922b1d817047ae8fa47d2b7f5952e80f4 Mon Sep 17 00:00:00 2001
From: Andrea <a.stirpe@onestein.nl>
Date: Fri, 17 Mar 2017 13:55:31 +0100
Subject: [PATCH] Avoid possible sql injection in bi_view_editor

---
 bi_view_editor/models/ir_model.py | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/bi_view_editor/models/ir_model.py b/bi_view_editor/models/ir_model.py
index 40a73620..e8892915 100644
--- a/bi_view_editor/models/ir_model.py
+++ b/bi_view_editor/models/ir_model.py
@@ -280,9 +280,8 @@ class IrModel(models.Model):
         # this sql update is necessary since a write method here would
         # be not working (an orm constraint is restricting the modification
         # of the state field while updating ir.model)
-        q = ("""UPDATE ir_model SET state = 'manual'
-               WHERE id = """ + str(res.id))
-        self.env.cr.execute(q)
+        q = "UPDATE ir_model SET state = 'manual' WHERE id = %s"
+        self.env.cr.execute(q, (res.id, ))
 
         # # update registry
         if self._context.get('bve'):