diff --git a/erpnext/utilities/doctype/note/note.py b/erpnext/utilities/doctype/note/note.py
index 2db4137ddda..e076af4073e 100644
--- a/erpnext/utilities/doctype/note/note.py
+++ b/erpnext/utilities/doctype/note/note.py
@@ -27,7 +27,7 @@ def get_permission_query_conditions(user):
 	return """(`tabNote`.public=1 or `tabNote`.owner="{user}" or exists (
 		select name from `tabNote User`
 			where `tabNote User`.parent=`tabNote`.name
-			and `tabNote User`.user="{user}"))""".format(user=user)
+			and `tabNote User`.user="{user}"))""".format(user=frappe,db.escape(user))
 
 def has_permission(doc, ptype, user):
 	if doc.public == 1 or user == "Administrator":