It is possible to add extra information by SQL injection on search pages.

User must be logged in, and it seems injection real capacities has low impact.