[fix] don't allow string values in limits to avoid sql injection

[saurabh6790]

URL: http://data.erpnext.dev:8000/?cmd=erpnext.templates.pages.product_search.get_product_list&start=1%20PROCEDURE%20ANALYSE(EXTRACTVALUE(2288,CONCAT(0x5c,(BENCHMARK(5000000,MD5(0x4f716f73))))),1)-afDR&search

Before

Traceback (most recent call last):
  File "/Users/saurabh/frappe-bench/apps/frappe/frappe/app.py", line 55, in application
    response = frappe.handler.handle()
  File "/Users/saurabh/frappe-bench/apps/frappe/frappe/handler.py", line 21, in handle
    data = execute_cmd(cmd)
  File "/Users/saurabh/frappe-bench/apps/frappe/frappe/handler.py", line 52, in execute_cmd
    return frappe.call(method, **frappe.form_dict)
  File "/Users/saurabh/frappe-bench/apps/frappe/frappe/__init__.py", line 907, in call
    return fn(*args, **newargs)
  File "/Users/saurabh/frappe-bench/apps/erpnext/erpnext/templates/pages/product_search.py", line 50, in get_product_list
    }, as_dict=1)
  File "/Users/saurabh/frappe-bench/apps/frappe/frappe/database.py", line 138, in sql
    self._cursor.execute(query, values)
  File "/Users/saurabh/frappe-bench/env/lib/python2.7/site-packages/MySQLdb/cursors.py", line 205, in execute
    self.errorhandler(self, exc, value)
  File "/Users/saurabh/frappe-bench/env/lib/python2.7/site-packages/MySQLdb/connections.py", line 36, in defaulterrorhandler
    raise errorclass, errorvalue
ProgrammingError: (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '-afDR, 12' at line 6")

---

after