fix: use query builder instead of raw SQL in get_blanket_orders

(cherry picked from commit 1db135262d)

erpnext/controllers/queries.py

@@ -528,21 +528,27 @@ def get_account_list(doctype, txt, searchfield, start, page_len, filters):
 @frappe.whitelist()
 @frappe.validate_and_sanitize_search_inputs
 def get_blanket_orders(doctype, txt, searchfield, start, page_len, filters):
-	return frappe.db.sql(
-		"""select distinct bo.name, bo.blanket_order_type, bo.to_date
-		from `tabBlanket Order` bo, `tabBlanket Order Item` boi
-		where
-			boi.parent = bo.name
-			and boi.item_code = {item_code}
-			and bo.blanket_order_type = '{blanket_order_type}'
-			and bo.company = {company}
-			and bo.docstatus = 1""".format(
-			item_code=frappe.db.escape(filters.get("item")),
-			blanket_order_type=filters.get("blanket_order_type"),
-			company=frappe.db.escape(filters.get("company")),
+	bo = frappe.qb.DocType("Blanket Order")
+	bo_item = frappe.qb.DocType("Blanket Order Item")
+
+	blanket_orders = (
+		frappe.qb.from_(bo)
+		.from_(bo_item)
+		.select(bo.name)
+		.distinct()
+		.select(bo.blanket_order_type, bo.to_date)
+		.where(
+			(bo_item.parent == bo.name)
+			& (bo_item.item_code == filters.get("item"))
+			& (bo.blanket_order_type == filters.get("blanket_order_type"))
+			& (bo.company == filters.get("company"))
+			& (bo.docstatus == 1)
 		)
+		.run()
 	)
 
+	return blanket_orders
+
 
 @frappe.whitelist()
 @frappe.validate_and_sanitize_search_inputs