From ad412de054ec64ddee9c4b506e1d96d3d8032efd Mon Sep 17 00:00:00 2001
From: Faris Ansari <netchamp.faris@gmail.com>
Date: Thu, 11 Jan 2018 15:00:35 +0530
Subject: [PATCH] Escape name in sql query

---
 frappe/model/naming.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/frappe/model/naming.py b/frappe/model/naming.py
index 6ccc5a0a19..b257db40a9 100644
--- a/frappe/model/naming.py
+++ b/frappe/model/naming.py
@@ -199,11 +199,14 @@ def _set_amended_name(doc):
 
 def append_number_if_name_exists(doctype, name, fieldname='name', separator='-'):
 	if frappe.db.exists(doctype, name):
+		# should be escaped 2 times since
+		# python string will parse the first escape
+		escaped_name = re.escape(re.escape(name))
 		last = frappe.db.sql("""select name from `tab{doctype}`
 			where {fieldname} regexp '^{name}{separator}[[:digit:]]+'
 			order by length({fieldname}) desc,
 				{fieldname} desc limit 1""".format(doctype=doctype,
-					name=name, fieldname=fieldname, separator=separator))
+					name=escaped_name, fieldname=fieldname, separator=separator), debug=1)
 
 		if last:
 			count = str(cint(last[0][0].rsplit("-", 1)[1]) + 1)