fix(bom): escape name with wildcard character (#18164)

commit: 6a7969117f1ec438f25ec5f8bfbbec10a04ef01d [log] [tgz]
author: Mangesh-Khairnar <mkhairnar10@gmail.com> Mon Jul 08 10:40:40 2019 +0530
committer: Nabin Hait <nabinhait@gmail.com> Mon Jul 08 10:40:40 2019 +0530
tree: 23217d8e26089717dab6e7f05568b3eddd33b11e
parent: 8309fcfbbc6cc5a97568aa988b993ebc8157e4e7 [diff]
diff --git a/erpnext/controllers/queries.py b/erpnext/controllers/queries.py
index d74bc0e..47c9f0a 100644
--- a/erpnext/controllers/queries.py
+++ b/erpnext/controllers/queries.py

@@ -206,10 +206,11 @@
 			if(locate(%(_txt)s, name), locate(%(_txt)s, name), 99999),
 			idx desc, name
 		limit %(start)s, %(page_len)s """.format(
-			fcond=get_filters_cond(doctype, filters, conditions),
+			fcond=get_filters_cond(doctype, filters, conditions).replace('%', '%%'),
 			mcond=get_match_cond(doctype),
-			key=searchfield), {
-			'txt': '%' + txt + '%',
+			key=frappe.db.escape(searchfield)),
+		{
+			'txt': "%"+frappe.db.escape(txt)+"%",
 			'_txt': txt.replace("%", ""),
 			'start': start or 0,
 			'page_len': page_len or 20
commit	6a7969117f1ec438f25ec5f8bfbbec10a04ef01d	[log] [tgz]
author	Mangesh-Khairnar <mkhairnar10@gmail.com>	Mon Jul 08 10:40:40 2019 +0530
committer	Nabin Hait <nabinhait@gmail.com>	Mon Jul 08 10:40:40 2019 +0530
tree	23217d8e26089717dab6e7f05568b3eddd33b11e
parent	8309fcfbbc6cc5a97568aa988b993ebc8157e4e7 [diff]