From c0ac84977683cce7caa28048413c5ca91f245997 Mon Sep 17 00:00:00 2001
From: Jamsheer <jamsheer@earthianslive.com>
Date: Wed, 9 Jan 2019 11:48:41 +0530
Subject: [PATCH] fix: Helathcare Prcatitioner custom query escaped

---
 .../healthcare_practitioner.py                | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/erpnext/healthcare/doctype/healthcare_practitioner/healthcare_practitioner.py b/erpnext/healthcare/doctype/healthcare_practitioner/healthcare_practitioner.py
index 891d86557f..ed9eae3529 100644
--- a/erpnext/healthcare/doctype/healthcare_practitioner/healthcare_practitioner.py
+++ b/erpnext/healthcare/doctype/healthcare_practitioner/healthcare_practitioner.py
@@ -83,6 +83,19 @@ def get_practitioner_list(doctype, txt, searchfield, start, page_len, filters=No
 		order by
 		case when name like %s then 0 else 1 end,
 		case when first_name like %s then 0 else 1 end,
-		name, first_name limit %s, %s""".format(match_conditions=match_conditions) %
-		(", ".join(fields), searchfield, "%s", "%s", "%s", "%s", "%s", "%s"),
-		("%%%s%%" % txt, "%%%s%%" % txt, "%%%s%%" % txt, "%%%s%%" % txt, start, page_len))
+		name, first_name limit %s, %s""".format(
+			match_conditions=match_conditions) %
+			(
+				", ".join(fields),
+				frappe.db.escape(searchfield),
+				"%s", "%s", "%s", "%s", "%s", "%s"
+			),
+			(
+				"%%%s%%" % frappe.db.escape(txt),
+				"%%%s%%" % frappe.db.escape(txt),
+				"%%%s%%" % frappe.db.escape(txt),
+				"%%%s%%" % frappe.db.escape(txt),
+				start,
+				page_len
+			)
+		)