Avoid multiple escapes (#15509)

erpnext/controllers/queries.py

@@ -208,9 +208,8 @@ def bom(doctype, txt, searchfield, start, page_len, filters):
 		limit %(start)s, %(page_len)s """.format(
 			fcond=get_filters_cond(doctype, filters, conditions),
 			mcond=get_match_cond(doctype),
-			key=searchfield),
+			key=searchfield), {
-		{
+			'txt': '%' + txt + '%',
-			'txt': frappe.db.escape('%' + txt + '%'),
 			'_txt': txt.replace("%", ""),
 			'start': start or 0,
 			'page_len': page_len or 20
@@ -353,7 +352,7 @@ def get_income_account(doctype, txt, searchfield, start, page_len, filters):
 				{condition} {match_condition}
 			order by idx desc, name"""
 			.format(condition=condition, match_condition=get_match_cond(doctype), key=searchfield), {
-				'txt': frappe.db.escape('%' + txt + '%'),
+				'txt': '%' + txt + '%',
 				'company': filters.get("company", "")
 			})
 
@@ -378,7 +377,7 @@ def get_expense_account(doctype, txt, searchfield, start, page_len, filters):
 		.format(condition=condition, key=searchfield,
 			match_condition=get_match_cond(doctype)), {
 			'company': filters.get("company", ""),
-			'txt': frappe.db.escape('%' + txt + '%')
+			'txt': '%' + txt + '%'
 		})
 
 

erpnext/projects/doctype/task/task.py

@@ -166,10 +166,13 @@ def get_project(doctype, txt, searchfield, start, page_len, filters):
 			where %(key)s like %(txt)s
 				%(mcond)s
 			order by name
-			limit %(start)s, %(page_len)s """ % {'key': searchfield,
+			limit %(start)s, %(page_len)s""" % {
-			'txt': frappe.db.escape('%' + txt + '%'),
+				'key': searchfield,
-			'mcond':get_match_cond(doctype),
+				'txt': frappe.db.escape('%' + txt + '%'),
-			'start': start, 'page_len': page_len})
+				'mcond':get_match_cond(doctype),
+				'start': start,
+				'page_len': page_len
+			})
 
 
 @frappe.whitelist()

erpnext/projects/doctype/timesheet/timesheet.py

@@ -223,7 +223,7 @@ def get_timesheet(doctype, txt, searchfield, start, page_len, filters):
 			and tsd.parent LIKE %(txt)s {condition}
 			order by tsd.parent limit %(start)s, %(page_len)s"""
 			.format(condition=condition), {
-				'txt': frappe.db.escape('%' + txt + '%'),
+				'txt': '%' + txt + '%',
 				"start": start, "page_len": page_len, 'project': filters.get("project")
 			})
 

erpnext/selling/page/point_of_sale/point_of_sale.py

@@ -60,11 +60,15 @@ def get_items(start, page_length, price_list, item_group, search_value="", pos_p
 			where
 				i.disabled = 0 and i.has_variants = 0 and i.is_sales_item = 1
 				and i.item_group in (select name from `tabItem Group` where lft >= {lft} and rgt <= {rgt})
-		        	and {condition} limit {start}, {page_length}""".format(start=start,page_length=page_length,lft=lft, rgt=rgt, 					condition=condition),
+				and {condition} limit {start}, {page_length}""".format(
-			{
+					start=start,
-				'item_code': item_code,
+					page_length=page_length,
+					lft=lft,
+					rgt=rgt,
+					condition=condition
+			), {
 				'price_list': price_list
-			} , as_dict=1)
+			}, as_dict=1)
 
 		res = {
 		'items': res

erpnext/setup/doctype/party_type/party_type.py

@@ -20,6 +20,6 @@ def get_party_type(doctype, txt, searchfield, start, page_len, filters):
 			where `{key}` LIKE %(txt)s {cond}
 			order by name limit %(start)s, %(page_len)s"""
 			.format(key=searchfield, cond=cond), {
-				'txt': frappe.db.escape('%' + txt + '%'),
+				'txt': '%' + txt + '%',
 				'start': start, 'page_len': page_len
 			})

erpnext/stock/doctype/item_alternative/item_alternative.py

@@ -35,6 +35,6 @@ def get_alternative_items(doctype, txt, searchfield, start, page_len, filters):
 			where alternative_item_code = %(item_code)s and item_code like %(txt)s
 			and two_way = 1) limit {0}, {1}
 		""".format(start, page_len), {
-			"item_code": frappe.db.escape(filters.get('item_code')),
+			"item_code": filters.get('item_code'),
-			"txt": frappe.db.escape('%' + txt + '%')
+			"txt": '%' + txt + '%'
 		})