diff --git a/frappe/core/doctype/event/event.py b/frappe/core/doctype/event/event.py
index ed93839f2e..9f3afbc64f 100644
--- a/frappe/core/doctype/event/event.py
+++ b/frappe/core/doctype/event/event.py
@@ -27,8 +27,8 @@ def get_permission_query_conditions(user):
 			`tabEvent Role`.parent=tabEvent.name
 			and `tabEvent Role`.role in ('%(roles)s')))
 		""" % {
-			"user": user,
-			"roles": "', '".join(frappe.get_roles(user))
+			"user": frappe.db.escape(user),
+			"roles": "', '".join([frappe.db.escape(r) for r in frappe.get_roles(user)])
 		}
 
 def has_permission(doc, user):
diff --git a/frappe/core/doctype/todo/todo.py b/frappe/core/doctype/todo/todo.py
index 5d67314780..c2ad2df09d 100644
--- a/frappe/core/doctype/todo/todo.py
+++ b/frappe/core/doctype/todo/todo.py
@@ -77,7 +77,8 @@ def get_permission_query_conditions(user):
 	if "System Manager" in frappe.get_roles(user):
 		return None
 	else:
-		return """(tabToDo.owner = '{user}' or tabToDo.assigned_by = '{user}')""".format(user=user)
+		return """(tabToDo.owner = '{user}' or tabToDo.assigned_by = '{user}')"""\
+			.format(user=frappe.db.escape(user))
 
 def has_permission(doc, user):
 	if "System Manager" in frappe.get_roles(user):
diff --git a/frappe/test_runner.py b/frappe/test_runner.py
index 7010258130..2326f9d449 100644
--- a/frappe/test_runner.py
+++ b/frappe/test_runner.py
@@ -187,11 +187,11 @@ def make_test_objects(doctype, test_records, verbose=None):
 	records = []
 
 	if not frappe.get_meta(doctype).issingle:
-		existing = frappe.get_list(doctype, filters={"name":("like", "_T-" + doctype + "-%")})
+		existing = frappe.get_all(doctype, filters={"name":("like", "_T-" + doctype + "-%")})
 		if existing:
 			return [d.name for d in existing]
 
-		existing = frappe.get_list(doctype, filters={"name":("like", "_Test " + doctype + "%")})
+		existing = frappe.get_all(doctype, filters={"name":("like", "_Test " + doctype + "%")})
 		if existing:
 			return [d.name for d in existing]