diff --git a/frappe/__init__.py b/frappe/__init__.py
index 6a8f8120c4..063af46d65 100644
--- a/frappe/__init__.py
+++ b/frappe/__init__.py
@@ -17,7 +17,7 @@ from faker import Faker
 from .exceptions import *
 from .utils.jinja import (get_jenv, get_template, render_template, get_email_from_template, get_jloader)
 
-__version__ = '10.1.57'
+__version__ = '10.1.58'
 __title__ = "Frappe Framework"
 
 local = Local()
diff --git a/frappe/hooks.py b/frappe/hooks.py
index c756f9098d..965d3363ca 100644
--- a/frappe/hooks.py
+++ b/frappe/hooks.py
@@ -12,7 +12,7 @@ source_link = "https://github.com/frappe/frappe"
 app_license = "MIT"
 
 develop_version = '11.x.x-develop'
-staging_version = '11.0.3-beta.17'
+staging_version = '11.0.3-beta.18'
 
 app_email = "info@frappe.io"
 
diff --git a/frappe/model/db_query.py b/frappe/model/db_query.py
index 512a32f45c..cc50167273 100644
--- a/frappe/model/db_query.py
+++ b/frappe/model/db_query.py
@@ -191,13 +191,21 @@ class DatabaseQuery(object):
 		'''
 
 		sub_query_regex = re.compile("^.*[,();].*")
-		blacklisted_keywords = ['select', 'create', 'insert', 'delete', 'drop', 'update', 'case']
+		blacklisted_keywords = ['select', 'create', 'insert', 'delete', 'drop', 'update', 'case',
+			'from', 'group', 'order', 'by']
 		blacklisted_functions = ['concat', 'concat_ws', 'if', 'ifnull', 'nullif', 'coalesce',
 			'connection_id', 'current_user', 'database', 'last_insert_id', 'session_user',
 			'system_user', 'user', 'version']
 
 		def _raise_exception():
-			frappe.throw(_('Cannot use sub-query or function in fields'), frappe.DataError)
+			frappe.throw(_('Use of sub-query or function is restricted'), frappe.DataError)
+
+		def _is_query(field):
+			if re.compile("^(select|delete|update|drop|create)\s").match(field):
+				_raise_exception()
+
+			elif re.compile("\s*[a-zA-z]*\s*( from | group by | order by | where | join )").match(field):
+				_raise_exception()
 
 		for field in self.fields:
 			if sub_query_regex.match(field):
@@ -216,6 +224,9 @@ class DatabaseQuery(object):
 			if re.compile('[a-zA-Z]+\s*,').match(field):
 				_raise_exception()
 
+			_is_query(field)
+
+
 	def extract_tables(self):
 		"""extract tables from fields"""
 		self.tables = ['`tab' + self.doctype + '`']
diff --git a/frappe/tests/test_db_query.py b/frappe/tests/test_db_query.py
index 478adc0bd1..01258e4e0b 100644
--- a/frappe/tests/test_db_query.py
+++ b/frappe/tests/test_db_query.py
@@ -124,6 +124,15 @@ class TestReportview(unittest.TestCase):
 		self.assertRaises(frappe.DataError, DatabaseQuery("DocType").execute,
 			fields=["name", "issingle,'"],limit_start=0, limit_page_length=1)
 
+		self.assertRaises(frappe.DataError, DatabaseQuery("DocType").execute,
+			fields=["name", "select * from tabSessions"],limit_start=0, limit_page_length=1)
+
+		self.assertRaises(frappe.DataError, DatabaseQuery("DocType").execute,
+			fields=["name", "issingle from --"],limit_start=0, limit_page_length=1)
+
+		self.assertRaises(frappe.DataError, DatabaseQuery("DocType").execute,
+			fields=["name", "issingle from tabDocType order by 2 --"],limit_start=0, limit_page_length=1)
+
 		data = DatabaseQuery("DocType").execute(fields=["name", "issingle", "count(name)"],
 			limit_start=0, limit_page_length=1)
 		self.assertTrue('count(name)' in data[0])