From b2b2df56aadcd5eb8aea6fe9565e4e113fa01d5e Mon Sep 17 00:00:00 2001
From: Saurabh <saurabh6790@gmail.com>
Date: Thu, 2 Mar 2017 16:51:20 +0530
Subject: [PATCH] [fix] consider optional fields too while chekcing sql
 injection

---
 frappe/model/db_query.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frappe/model/db_query.py b/frappe/model/db_query.py
index 06a0f5d0fb..f7ea70c2db 100644
--- a/frappe/model/db_query.py
+++ b/frappe/model/db_query.py
@@ -493,7 +493,7 @@ class DatabaseQuery(object):
 					frappe.throw(_("Please select atleast 1 column from {0} to sort/group").format(tbl))
 			else:
 				field = field.strip().split(' ')[0]
-				if field not in [f.fieldname for f in meta.fields] and field not in default_fields:
+				if field not in [f.fieldname for f in meta.fields] and field not in (default_fields + optional_fields):
 					frappe.throw(_("Invalid field used to sort/group: {0}").format(field))
 
 	def add_limit(self):