diff --git a/frappe/model/db_query.py b/frappe/model/db_query.py
index 79ef0e63d4..1df71f870b 100644
--- a/frappe/model/db_query.py
+++ b/frappe/model/db_query.py
@@ -279,7 +279,7 @@ class DatabaseQuery(object):
 					or `tab{doctype}`.`{fieldname}` in ({values}))""".format(
 					doctype=self.doctype,
 					fieldname=df.fieldname,
-					values=", ".join([('"'+v.replace('"', '\"')+'"') for v in user_permissions[df.options]])
+					values=", ".join([('"'+frappe.db.escape(v)+'"') for v in user_permissions[df.options]])
 				))
 				match_filters[df.options] = user_permissions[df.options]