From 3720126ee9e6153adc39528391926a1926ba065c Mon Sep 17 00:00:00 2001
From: sahil28297 <37302950+sahil28297@users.noreply.github.com>
Date: Mon, 10 Jun 2019 17:39:42 +0530
Subject: [PATCH] fix(patch): escape illegal characters to avoid SQL syntax
 error (#17890)

---
 erpnext/patches/v11_0/update_total_qty_field.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/erpnext/patches/v11_0/update_total_qty_field.py b/erpnext/patches/v11_0/update_total_qty_field.py
index 992454ac7c..51358e9545 100644
--- a/erpnext/patches/v11_0/update_total_qty_field.py
+++ b/erpnext/patches/v11_0/update_total_qty_field.py
@@ -40,7 +40,7 @@ def execute():
 			# This is probably never used anywhere else as of now, but should be
 			values = []
 			for d in batch_transactions:
-				values.append("('{}', {})".format(d.parent, d.qty))
+				values.append("('{}', {})".format(frappe.db.escape(d.parent), d.qty))
 			conditions = ",".join(values)
 			frappe.db.sql("""
 				INSERT INTO `tab{}` (name, total_qty) VALUES {}