From 6a7969117f1ec438f25ec5f8bfbbec10a04ef01d Mon Sep 17 00:00:00 2001
From: Mangesh-Khairnar <mkhairnar10@gmail.com>
Date: Mon, 8 Jul 2019 10:40:40 +0530
Subject: [PATCH] fix(bom): escape name with wildcard character (#18164)

---
 erpnext/controllers/queries.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/erpnext/controllers/queries.py b/erpnext/controllers/queries.py
index d74bc0ea18..47c9f0a4ce 100644
--- a/erpnext/controllers/queries.py
+++ b/erpnext/controllers/queries.py
@@ -206,10 +206,11 @@ def bom(doctype, txt, searchfield, start, page_len, filters):
 			if(locate(%(_txt)s, name), locate(%(_txt)s, name), 99999),
 			idx desc, name
 		limit %(start)s, %(page_len)s """.format(
-			fcond=get_filters_cond(doctype, filters, conditions),
+			fcond=get_filters_cond(doctype, filters, conditions).replace('%', '%%'),
 			mcond=get_match_cond(doctype),
-			key=searchfield), {
-			'txt': '%' + txt + '%',
+			key=frappe.db.escape(searchfield)),
+		{
+			'txt': "%"+frappe.db.escape(txt)+"%",
 			'_txt': txt.replace("%", ""),
 			'start': start or 0,
 			'page_len': page_len or 20