From c64511180076f0c21ccb3800baf64d6f4ff05405 Mon Sep 17 00:00:00 2001
From: Anand Doshi <anand@erpnext.com>
Date: Fri, 16 Jan 2015 15:47:33 +0530
Subject: [PATCH] [fix] escape quotes in permission conditions

---
 frappe/model/db_query.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frappe/model/db_query.py b/frappe/model/db_query.py
index 79ef0e63d4..1df71f870b 100644
--- a/frappe/model/db_query.py
+++ b/frappe/model/db_query.py
@@ -279,7 +279,7 @@ class DatabaseQuery(object):
 					or `tab{doctype}`.`{fieldname}` in ({values}))""".format(
 					doctype=self.doctype,
 					fieldname=df.fieldname,
-					values=", ".join([('"'+v.replace('"', '\"')+'"') for v in user_permissions[df.options]])
+					values=", ".join([('"'+frappe.db.escape(v)+'"') for v in user_permissions[df.options]])
 				))
 				match_filters[df.options] = user_permissions[df.options]