From 583747f6db8a4651fcfde505246d368c39110062 Mon Sep 17 00:00:00 2001
From: Anthony Talarico <talarico@gaslightmedia.com>
Date: Thu, 4 Oct 2018 16:39:50 -0400
Subject: [PATCH] fixing the textsearch ajax model to allow for variable
 database column names from an ajax request

---
 models/admin/ajax/glmTextSearch.php | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/models/admin/ajax/glmTextSearch.php b/models/admin/ajax/glmTextSearch.php
index d9fa9136..512fdb99 100644
--- a/models/admin/ajax/glmTextSearch.php
+++ b/models/admin/ajax/glmTextSearch.php
@@ -75,9 +75,10 @@ class GlmMembersAdmin_ajax_glmTextSearch
         global $wpdb;
         $status = $this->config['status_numb']['Active'];
         if( isset( $_REQUEST['table'] ) ){
-            $clause         = filter_var($_REQUEST['where'], FILTER_SANITIZE_STRING);
-            $searchQuery    = filter_var($_REQUEST['query'], FILTER_SANITIZE_STRING);
-            $fields         = $_REQUEST['fields'];
+            $clause         = filter_var($_REQUEST['where'], FILTER_SANITIZE_STRING, FILTER_FLAG_NO_ENCODE_QUOTES);
+            $clause         = stripslashes($clause);
+            $searchQuery    = filter_var($_REQUEST['query'], FILTER_SANITIZE_STRING, FILTER_FLAG_NO_ENCODE_QUOTES);
+            $fields         = filter_var($_REQUEST['fields'], FILTER_SANITIZE_STRING, FILTER_FLAG_NO_ENCODE_QUOTES);
             $fields         = stripslashes($fields);
             $table          = filter_var($_REQUEST['table'], FILTER_SANITIZE_STRING);
             $sql            = "SELECT $fields FROM $table where $clause like '%$searchQuery%'";
@@ -93,6 +94,7 @@ class GlmMembersAdmin_ajax_glmTextSearch
         }
         
         $return = array(
+            "test"          => $sql,
             'searchData'    => $searchData        // Where our events list will go
         );
 
-- 
2.17.1