frappe · akhilnarang · Jul 7, 2025 · Jun 25, 2025 · Jul 2, 2025
diff --git a/frappe/model/db_query.py b/frappe/model/db_query.py
@@ -1112,8 +1112,9 @@ def validate_order_by_and_group_by(self, parameters: str):
 			frappe.throw(_("Illegal SQL Query"))
 
 		for field in parameters.split(","):
+			if field.count('"') % 2 or field.count("'") % 2 or field.count("`") % 2:
+				frappe.throw(_("Invalid field name: {0}").format(field))
 			field = field.strip()
-			function = field.split("(", 1)[0].rstrip().lower()
 			full_field_name = "." in field and field.startswith("`tab")
 
 			if full_field_name:
@@ -1123,9 +1124,10 @@ def validate_order_by_and_group_by(self, parameters: str):
 						tbl = tbl[4:-1]
 					frappe.throw(_("Please select atleast 1 column from {0} to sort/group").format(tbl))
 
-			# Check if the function is used anywhere in the field
-			if any(func in function for func in blacklisted_sql_functions):
-				frappe.throw(_("Cannot use {0} in order/group by").format(function))
+			# Check for SQL function using regex with word boundaries and optional whitespace before parenthesis
+			for func in blacklisted_sql_functions:
+				if re.search(r"\b" + re.escape(func) + r"\s*\(", field.lower()):
+					frappe.throw(_("Cannot use {0} in order/group by").format(field))
 
 	def add_limit(self):
 		if self.limit_page_length: