allow api _plainsql special parameter only for internal calls, not needed anywhere else

Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
2022-12-14 18:42:06 +01:00
parent e5b6492804
commit c19b7d02ab
3 changed files with 10 additions and 3 deletions
--- a/lib/Froxlor/Api/ApiCommand.php
+++ b/lib/Froxlor/Api/ApiCommand.php
@@ -276,7 +276,7 @@ abstract class ApiCommand extends ApiParameter
 			];
 			$first = true;
 			foreach ($search as $field => $valoper) {
-				if ($field == '_plainsql') {
+				if ($field == '_plainsql' && $this->internal_call) {
 					if (isset($valoper['sql']) && isset($valoper['values']) && is_array($valoper['values'])) {
 						if (preg_match('/^([a-z0-9\-\.,=\+_`\(\)\:\'\"\!\<\>\ ]+)$/i', $valoper['sql']) == false) {
 							// skip