diff --git a/file.php b/file.php
index ed0a4465e845f90377e05905c53d9b1b37962f58..33ffec5ff1cf038dbfb999b64ce8af5d1c1db3b7 100644
--- a/file.php
+++ b/file.php
@@ -21,7 +21,7 @@ require_once(INCLUDE_DIR.'class.file.php');
 if (!$_GET['key']
     || !$_GET['signature']
     || !$_GET['expires']
-    || !($file = AttachmentFile::lookup($_GET['key']))
+    || !($file = AttachmentFile::lookupByHash($_GET['key']))
 ) {
     Http::response(404, __('Unknown or invalid file'));
 }
diff --git a/include/class.orm.php b/include/class.orm.php
index 1f37f679b60d64ad62dec1939563d16a2f2b405f..7539c144564aba7d5c5922632fe341dc4e9abd9e 100644
--- a/include/class.orm.php
+++ b/include/class.orm.php
@@ -2601,7 +2601,7 @@ class MySqlCompiler extends SqlCompiler {
     }
 
     function quote($what) {
-        return "`$what`";
+        return sprintf("`%s`", str_replace("`", "``", $what));
     }
 
     /**