diff --git a/frappe/model/db_query.py b/frappe/model/db_query.py
index d4f6d40458..e5a1c22e05 100644
--- a/frappe/model/db_query.py
+++ b/frappe/model/db_query.py
@@ -499,9 +499,11 @@ from {tables}
 				if isinstance(token, Function):
 					if (name := (token.get_name())) and name.lower() in blacklisted_functions:
 						_raise_exception()
-				if token.ttype == tokens.Keyword:
-					if token.value.lower() in blacklisted_keywords:
+
+				if token.ttype in (tokens.Keyword, tokens.Name):
+					if any(re.search(rf"\b{kw}\b", token.value.lower()) for kw in blacklisted_keywords):
 						_raise_exception()
+
 				if token.is_group:
 					_check_sql_token(token)
 
diff --git a/frappe/utils/data.py b/frappe/utils/data.py
index d3150b1d6b..f8129f6fcf 100644
--- a/frappe/utils/data.py
+++ b/frappe/utils/data.py
@@ -2293,7 +2293,7 @@ def _sanitize_column(column_name: str, db_type: str) -> str:
 	def _raise_exception():
 		frappe.throw(_("Invalid field name {0}").format(column_name), frappe.DataError)
 
-	regex = re.compile("^.*[,'();\n].*")
+	regex = re.compile("^.*[,'();\n`].*")
 	if "ifnull" in column_name:
 		if regex.match(column_name):
 			# to avoid and, or