diff --git a/frappe/desk/reportview.py b/frappe/desk/reportview.py
index 9654e14687..189178d878 100644
--- a/frappe/desk/reportview.py
+++ b/frappe/desk/reportview.py
@@ -68,6 +68,7 @@ def get_form_params():
 
 	# queries must always be server side
 	data.query = None
+	data.strict = None
 
 	return data
 
diff --git a/frappe/desk/search.py b/frappe/desk/search.py
index 61b0cf2905..18278f7871 100644
--- a/frappe/desk/search.py
+++ b/frappe/desk/search.py
@@ -153,7 +153,8 @@ def search_widget(doctype, txt, query=None, searchfield=None, start=0,
 				order_by=order_by,
 				ignore_permissions=ignore_permissions,
 				reference_doctype=reference_doctype,
-				as_list=not as_dict)
+				as_list=not as_dict,
+				strict=False)
 
 			if doctype in UNTRANSLATED_DOCTYPES:
 				values = tuple([v for v in list(values) if re.search(txt+".*", (_(v.name) if as_dict else _(v[0])), re.IGNORECASE)])
diff --git a/frappe/model/db_query.py b/frappe/model/db_query.py
index 74bd245fb4..f864e4f356 100644
--- a/frappe/model/db_query.py
+++ b/frappe/model/db_query.py
@@ -36,7 +36,7 @@ class DatabaseQuery(object):
 		ignore_permissions=False, user=None, with_comment_count=False,
 		join='left join', distinct=False, start=None, page_length=None, limit=None,
 		ignore_ifnull=False, save_user_settings=False, save_user_settings_fields=False,
-		update=None, add_total_row=None, user_settings=None, reference_doctype=None, return_query=False):
+		update=None, add_total_row=None, user_settings=None, reference_doctype=None, return_query=False, strict=True):
 		if not ignore_permissions and not frappe.has_permission(self.doctype, "read", user=user):
 			frappe.flags.error_message = _('Insufficient Permission for {0}').format(frappe.bold(self.doctype))
 			raise frappe.PermissionError(self.doctype)
@@ -80,6 +80,7 @@ class DatabaseQuery(object):
 		self.update = update
 		self.user_settings_fields = copy.deepcopy(self.fields)
 		self.return_query = return_query
+		self.strict = strict
 
 		# for contextual user permission check
 		# to determine which user permission is applicable on link field of specific doctype
@@ -244,11 +245,12 @@ class DatabaseQuery(object):
 
 			_is_query(field)
 
-			if re.compile(r".*/\*.*").match(field):
-				frappe.throw(_('Illegal SQL Query'))
+			if self.strict:
+				if re.compile(r".*/\*.*").match(field):
+					frappe.throw(_('Illegal SQL Query'))
 
-			if re.compile(r".*\s(union).*\s").match(field.lower()):
-				frappe.throw(_('Illegal SQL Query'))
+				if re.compile(r".*\s(union).*\s").match(field.lower()):
+					frappe.throw(_('Illegal SQL Query'))
 
 	def extract_tables(self):
 		"""extract tables from fields"""
@@ -766,6 +768,7 @@ def get_list(doctype, *args, **kwargs):
 	kwargs.pop('cmd', None)
 	kwargs.pop('ignore_permissions', None)
 	kwargs.pop('data', None)
+	kwargs.pop('strict', None)
 
 	# If doctype is child table
 	if frappe.is_table(doctype):