From ab577751f28b4328e5775bd6d2f964f93b0be6ac Mon Sep 17 00:00:00 2001 From: Akhil Narang Date: Fri, 6 Feb 2026 18:20:45 +0530 Subject: [PATCH 1/2] fix(sanitize_fields): strengthen field check Signed-off-by: Akhil Narang --- frappe/model/db_query.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/frappe/model/db_query.py b/frappe/model/db_query.py index d4f6d40458..e5a1c22e05 100644 --- a/frappe/model/db_query.py +++ b/frappe/model/db_query.py @@ -499,9 +499,11 @@ from {tables} if isinstance(token, Function): if (name := (token.get_name())) and name.lower() in blacklisted_functions: _raise_exception() - if token.ttype == tokens.Keyword: - if token.value.lower() in blacklisted_keywords: + + if token.ttype in (tokens.Keyword, tokens.Name): + if any(re.search(rf"\b{kw}\b", token.value.lower()) for kw in blacklisted_keywords): _raise_exception() + if token.is_group: _check_sql_token(token) From e6ea045d06955b7d7f5bbb8282a7b6ab8241ec98 Mon Sep 17 00:00:00 2001 From: Akhil Narang Date: Fri, 6 Feb 2026 21:15:20 +0530 Subject: [PATCH 2/2] fix: improve sanitize_column regex Signed-off-by: Akhil Narang --- frappe/utils/data.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/frappe/utils/data.py b/frappe/utils/data.py index d3150b1d6b..f8129f6fcf 100644 --- a/frappe/utils/data.py +++ b/frappe/utils/data.py @@ -2293,7 +2293,7 @@ def _sanitize_column(column_name: str, db_type: str) -> str: def _raise_exception(): frappe.throw(_("Invalid field name {0}").format(column_name), frappe.DataError) - regex = re.compile("^.*[,'();\n].*") + regex = re.compile("^.*[,'();\n`].*") if "ifnull" in column_name: if regex.match(column_name): # to avoid and, or