fix: Helathcare Prcatitioner custom query escaped

commit: c0ac84977683cce7caa28048413c5ca91f245997 [log] [tgz]
author: Jamsheer <jamsheer@earthianslive.com> Wed Jan 09 11:48:41 2019 +0530
committer: Jamsheer <jamsheer@earthianslive.com> Wed Jan 09 11:48:41 2019 +0530
tree: 2976c69989e65559d231a7a497cea40b02d5114e
parent: 45c5138eafe6d2c21f1773de73ee9aa21f6f125b [diff]
diff --git a/erpnext/healthcare/doctype/healthcare_practitioner/healthcare_practitioner.py b/erpnext/healthcare/doctype/healthcare_practitioner/healthcare_practitioner.py
index 891d865..ed9eae3 100644
--- a/erpnext/healthcare/doctype/healthcare_practitioner/healthcare_practitioner.py
+++ b/erpnext/healthcare/doctype/healthcare_practitioner/healthcare_practitioner.py

@@ -83,6 +83,19 @@
 		order by
 		case when name like %s then 0 else 1 end,
 		case when first_name like %s then 0 else 1 end,
-		name, first_name limit %s, %s""".format(match_conditions=match_conditions) %
-		(", ".join(fields), searchfield, "%s", "%s", "%s", "%s", "%s", "%s"),
-		("%%%s%%" % txt, "%%%s%%" % txt, "%%%s%%" % txt, "%%%s%%" % txt, start, page_len))
+		name, first_name limit %s, %s""".format(
+			match_conditions=match_conditions) %
+			(
+				", ".join(fields),
+				frappe.db.escape(searchfield),
+				"%s", "%s", "%s", "%s", "%s", "%s"
+			),
+			(
+				"%%%s%%" % frappe.db.escape(txt),
+				"%%%s%%" % frappe.db.escape(txt),
+				"%%%s%%" % frappe.db.escape(txt),
+				"%%%s%%" % frappe.db.escape(txt),
+				start,
+				page_len
+			)
+		)
commit	c0ac84977683cce7caa28048413c5ca91f245997	[log] [tgz]
author	Jamsheer <jamsheer@earthianslive.com>	Wed Jan 09 11:48:41 2019 +0530
committer	Jamsheer <jamsheer@earthianslive.com>	Wed Jan 09 11:48:41 2019 +0530
tree	2976c69989e65559d231a7a497cea40b02d5114e
parent	45c5138eafe6d2c21f1773de73ee9aa21f6f125b [diff]