From 17170433e098683ac7df7c8bcc4ed6969b17ff8b Mon Sep 17 00:00:00 2001
From: Andreas <6977712+AndreasK79@users.noreply.github.com>
Date: Sat, 25 Sep 2021 19:49:28 +0200
Subject: [PATCH] [Advanced search] Only run a query which contains select, but
 not delete or update. Done for safety precautions.

---
 application/controllers/Search.php | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/application/controllers/Search.php b/application/controllers/Search.php
index 7aa2ef79..b7d1b0d3 100644
--- a/application/controllers/Search.php
+++ b/application/controllers/Search.php
@@ -88,10 +88,13 @@ class Search extends CI_Controller {
 	function run_query() {
 		$this->db->where('id', xss_clean($this->input->post('id')));
 		$sql = $this->db->get('queries')->result();
+		$sql = $sql[0]->query;
 
-		$data['results'] = $this->db->query($sql[0]->query);
+		if (stristr($sql, 'select', ) && !stristr($sql, 'delete') && !stristr($sql, 'update')) {
+			$data['results'] = $this->db->query($sql);
 
-		$this->load->view('search/search_result_ajax', $data);
+			$this->load->view('search/search_result_ajax', $data);
+		}
 	}
 
 	function save_query() {