diff --git a/modules/reporting/app/models/cost_query/custom_field_mixin.rb b/modules/reporting/app/models/cost_query/custom_field_mixin.rb
index 9eedfdc55b8..d101ae75461 100644
--- a/modules/reporting/app/models/cost_query/custom_field_mixin.rb
+++ b/modules/reporting/app/models/cost_query/custom_field_mixin.rb
@@ -113,7 +113,7 @@ module CostQuery::CustomFieldMixin
     custom_options_table = CustomOption.table_name
 
     <<-SQL
-    -- BEGIN Custom Field Join: #{db_field}
+    -- BEGIN Custom Field Join: cf_#{field.id}
     LEFT OUTER JOIN (
     SELECT
       co.id AS #{db_field},
@@ -129,16 +129,16 @@ module CostQuery::CustomFieldMixin
 
     AND #{db_field}.custom_field_id = #{field.id}
     AND #{db_field}.customized_id = entries.entity_id
-    -- END Custom Field Join: #{db_field}
+    -- END Custom Field Join: cf_#{field.id}
     SQL
   end
 
   def default_join_table(field)
-    <<-SQL % [CustomValue.table_name, table_name, field.id, field.name, SQL_TYPES[field.field_format]]
-    -- BEGIN Custom Field Join: "%4$s"
+    <<-SQL % [CustomValue.table_name, table_name, field.id, SQL_TYPES[field.field_format]]
+    -- BEGIN Custom Field Join: cf_%3$d
     LEFT OUTER JOIN (
     \tSELECT
-    \t\tCAST(value AS %5$s) AS %2$s,
+    \t\tCAST(value AS %4$s) AS %2$s,
     \t\tcustomized_type,
     \t\tcustom_field_id,
     \t\tcustomized_id
@@ -148,7 +148,7 @@ module CostQuery::CustomFieldMixin
     ON %2$s.customized_type = 'WorkPackage'
     AND %2$s.custom_field_id = %3$d
     AND %2$s.customized_id = entries.entity_id
-    -- END Custom Field Join: "%4$s"
+    -- END Custom Field Join: cf_%3$d
     SQL
   end
 
diff --git a/modules/reporting/spec/models/cost_query/custom_field_mixin_spec.rb b/modules/reporting/spec/models/cost_query/custom_field_mixin_spec.rb
new file mode 100644
index 00000000000..9023483bcbd
--- /dev/null
+++ b/modules/reporting/spec/models/cost_query/custom_field_mixin_spec.rb
@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require_relative "../../spec_helper"
+
+RSpec.describe CostQuery::CustomFieldMixin, :reporting_query_helper do
+  minimal_query
+
+  let!(:project) { create(:project_with_types) }
+  let!(:user) { create(:admin) }
+
+  describe "#default_join_table" do
+    let!(:custom_field) do
+      create(:wp_custom_field, :string, name: "Robert'); DROP TABLE Students;-- Roberts")
+    end
+
+    before do
+      CostQuery::Cache.reset!
+      CostQuery::Filter::CustomFieldEntries.all
+    end
+
+    after do
+      CostQuery::Cache.reset!
+      CostQuery::Filter::CustomFieldEntries.reset!
+    end
+
+    it "uses field.id in the SQL comment and does not include the field name" do
+      query.filter custom_field.attribute_name, operator: "=", value: "test"
+      sql = query.sql_statement.to_s
+
+      expect(sql).to include("-- BEGIN Custom Field Join: cf_#{custom_field.id}")
+      expect(sql).to include("-- END Custom Field Join: cf_#{custom_field.id}")
+      expect(sql).not_to include("DROP TABLE students")
+      expect(sql).to include("CAST(value AS varchar)")
+    end
+  end
+end