[fix] escape fg_item in production planning's get_so_items

erpnext/manufacturing/doctype/production_planning_tool/production_planning_tool.py

@@ -128,7 +128,7 @@ class ProductionPlanningTool(Document):
 
 		item_condition = ""
 		if self.fg_item:
-			item_condition = ' and so_item.item_code = "' + self.fg_item + '"'
+			item_condition = ' and so_item.item_code = "{0}"'.format(frappe.db.escape(self.fg_item))
 
 		items = frappe.db.sql("""select distinct parent, item_code, warehouse,
 			(qty - delivered_qty) as pending_qty
@@ -139,7 +139,7 @@ class ProductionPlanningTool(Document):
 			(", ".join(["%s"] * len(so_list)), item_condition), tuple(so_list), as_dict=1)
 
 		if self.fg_item:
-			item_condition = ' and pi.item_code = "' + self.fg_item + '"'
+			item_condition = ' and pi.item_code = "{0}"'.format(frappe.db.escape(self.fg_item))
 
 		packed_items = frappe.db.sql("""select distinct pi.parent, pi.item_code, pi.warehouse as warehouse,
 			(((so_item.qty - so_item.delivered_qty) * pi.qty) / so_item.qty)