diff --git a/erpnext/accounts/page/accounts_browser/accounts_browser.py b/erpnext/accounts/page/accounts_browser/accounts_browser.py
index 593794a5cb5..341486e9c67 100644
--- a/erpnext/accounts/page/accounts_browser/accounts_browser.py
+++ b/erpnext/accounts/page/accounts_browser/accounts_browser.py
@@ -26,9 +26,9 @@ def get_children():
 		acc = frappe.db.sql(""" select
 			name as value, is_group as expandable %s
 			from `tab%s`
-			where ifnull(parent_%s,'') = ''
+			where ifnull(`parent_%s`,'') = ''
 			and `company` = %s	and docstatus<2
-			order by name""" % (select_cond, ctype, ctype.lower().replace(' ','_'), '%s'),
+			order by name""" % (select_cond, frappe.db.escape(ctype), frappe.db.escape(ctype.lower().replace(' ','_')), '%s'),
 				company, as_dict=1)
 
 		if args["parent"]=="Accounts":
@@ -38,9 +38,9 @@ def get_children():
 		acc = frappe.db.sql("""select
 			name as value, is_group as expandable
 	 		from `tab%s`
-			where ifnull(parent_%s,'') = %s
+			where ifnull(`parent_%s`,'') = %s
 			and docstatus<2
-			order by name""" % (ctype, ctype.lower().replace(' ','_'), '%s'),
+			order by name""" % (frappe.db.escape(ctype), frappe.db.escape(ctype.lower().replace(' ','_')), '%s'),
 				args['parent'], as_dict=1)
 
 	if ctype == 'Account':
diff --git a/erpnext/accounts/utils.py b/erpnext/accounts/utils.py
index 51c79160c7a..2b1f65c53a4 100644
--- a/erpnext/accounts/utils.py
+++ b/erpnext/accounts/utils.py
@@ -62,7 +62,7 @@ def get_balance_on(account=None, date=None, party_type=None, party=None):
 
 	cond = []
 	if date:
-		cond.append("posting_date <= '%s'" % date)
+		cond.append("posting_date <= '%s'" % frappe.db.escape(date))
 	else:
 		# get balance of all entries that exist
 		date = nowdate()
@@ -95,12 +95,12 @@ def get_balance_on(account=None, date=None, party_type=None, party=None):
 				and ac.lft >= %s and ac.rgt <= %s
 			)""" % (acc.lft, acc.rgt))
 		else:
-			cond.append("""gle.account = "%s" """ % (account.replace('"', '\\"'), ))
+			cond.append("""gle.account = "%s" """ % (frappe.db.escape(account),))
 
 	if party_type and party:
 		cond.append("""gle.party_type = "%s" and gle.party = "%s" """ %
-			(party_type.replace('"', '\\"'), party.replace('"', '\\"')))
-			
+			(frappe.db.escape(party_type), frappe.db.escape(party)))
+
 	if account or (party_type and party):
 		bal = frappe.db.sql("""
 			SELECT sum(ifnull(debit, 0)) - sum(ifnull(credit, 0))