diff --git a/frappe/model/db_query.py b/frappe/model/db_query.py
index 7767d2a021..53a1c6c13d 100644
--- a/frappe/model/db_query.py
+++ b/frappe/model/db_query.py
@@ -240,9 +240,6 @@ class DatabaseQuery(object):
 
 			_is_query(field)
 
-			invalid_characters_regex = r".*[^a-zA-Z0-9-_ ,`'\"\*\.\(\)].*"
-			if re.match(invalid_characters_regex, field):
-				frappe.throw(_("Illegal characters in SQL query"))
 
 	def extract_tables(self):
 		"""extract tables from fields"""
@@ -691,9 +688,6 @@ class DatabaseQuery(object):
 		if 'select' in _lower and ' from ' in _lower:
 			frappe.throw(_('Cannot use sub-query in order by'))
 
-		invalid_characters_regex = r".*[^a-z0-9-_ ,`'\"\.\(\)].*"
-		if re.match(invalid_characters_regex, _lower):
-			frappe.throw(_("Illegal characters in SQL query"))
 
 		for field in parameters.split(","):
 			if "." in field and field.strip().startswith("`tab"):
diff --git a/frappe/utils/jinja.py b/frappe/utils/jinja.py
index f8745b82c3..7a27fb3c3b 100644
--- a/frappe/utils/jinja.py
+++ b/frappe/utils/jinja.py
@@ -71,7 +71,7 @@ def render_template(template, context, is_path=None, safe_render=True):
 		or (template.endswith('.html') and '\n' not in template)):
 		return get_jenv().get_template(template).render(context)
 	else:
-		if safe_render and "__" in template:
+		if safe_render and ".__" in template:
 			throw("Illegal template")
 		try:
 			return get_jenv().from_string(template).render(context)