Merge pull request #36939 from akhilnarang/db-query-fixes

fix: improve checks
2026-02-10 21:46:56 +05:30 · 2026-02-10 21:46:56 +05:30 · eb876c8aed
commit eb876c8aed
parent 20ceaa20a0 e6ea045d06
2 changed files with 5 additions and 3 deletions
--- a/frappe/model/db_query.py
+++ b/frappe/model/db_query.py
@ -499,9 +499,11 @@ from {tables}
 				if isinstance(token, Function):
 					if (name := (token.get_name())) and name.lower() in blacklisted_functions:
 						_raise_exception()
-				if token.ttype == tokens.Keyword:
-					if token.value.lower() in blacklisted_keywords:
+
+				if token.ttype in (tokens.Keyword, tokens.Name):
+					if any(re.search(rf"\b{kw}\b", token.value.lower()) for kw in blacklisted_keywords):
 						_raise_exception()
+
 				if token.is_group:
 					_check_sql_token(token)

--- a/frappe/utils/data.py
+++ b/frappe/utils/data.py
@ -2293,7 +2293,7 @@ def _sanitize_column(column_name: str, db_type: str) -> str:
 	def _raise_exception():
 		frappe.throw(_("Invalid field name {0}").format(column_name), frappe.DataError)

-	regex = re.compile("^.*[,'();\n].*")
+	regex = re.compile("^.*[,'();\n`].*")
 	if "ifnull" in column_name:
 		if regex.match(column_name):
 			# to avoid and, or