Comment 3 for bug 887376

Ok, thank you.
We are working for it

I comment what, my patch example solution no have SQL injections
My idea is next patch:

=== modified file 'account/account.py'
--- account/account.py 2011-10-10 08:50:07 +0000
+++ account/account.py 2011-11-08 00:54:14 +0000
@@ -271,6 +271,13 @@
             request = ("SELECT l.account_id as id, " +\
                        ', '.join(map(mapping.__getitem__, field_names)) +
                        " FROM account_move_line l" \
+ """
+ INNER JOIN account_account aa_tree_1
+ ON aa_tree_1.id = l.account_id
+ INNER JOIN account_account aa_tree_2
+ ON aa_tree_2.parent_left
+ BETWEEN aa_tree_1.parent_left AND aa_tree_1.parent_right
+ """ \
                        " WHERE l.account_id IN %s " \
                             + filters +
                        " GROUP BY l.account_id")

NOTE: This is a example of my idea, not have the full solution