diff --git a/api_db.php b/api_db.php
index ef3cfdfc..daa04813 100644
--- a/api_db.php
+++ b/api_db.php
@@ -104,55 +104,20 @@ if (isset($_GET['getAllQueries']) && $auth)
 		$dbquery = "SELECT timestamp, type, domain, client, status FROM queries WHERE timestamp >= :from AND timestamp <= :until ";
 		if(isset($_GET["types"]))
 		{
-			$types = intval($_GET["types"]);
-			$typestr = "";
-			if($types & 1) // GRAVITY
+			$types = $_GET["types"];
+			if(preg_match("/^[0-9]+(?:,[0-9]+)*$/", $types) === 1)
 			{
-				$typestr = "1";
+				// Append selector to DB query. The used regex ensures
+				// that only numbers, separated by commas are accepted
+				// to avoid code injection and other malicious things
+				// We accept only valid lists like "1,2,3"
+				// We reject ",2,3", "1,2," and similar arguments
+				$dbquery .= "AND status IN (".$types.") ";
 			}
-			if($types & 2) // FORWARDED
+			else
 			{
-				if(strlen($typestr) > 0)
-				{
-					$typestr .= ",";
-				}
-				$typestr .= "2";
+				die("Error. Selector types specified using an invalid format.");
 			}
-			if($types & 4) // CACHED
-			{
-				if(strlen($typestr) > 0)
-				{
-					$typestr .= ",";
-				}
-				$typestr .= "3";
-			}
-			if($types & 8) // REGEX/WILDCARD
-			{
-				if(strlen($typestr) > 0)
-				{
-					$typestr .= ",";
-				}
-				$typestr .= "4";
-			}
-			if($types & 16) // BLACKLIST
-			{
-				if(strlen($typestr) > 0)
-				{
-					$typestr .= ",";
-				}
-				$typestr .= "5";
-			}
-			if($types & 32) // EXTERNAL
-			{
-				if(strlen($typestr) > 0)
-				{
-					$typestr .= ",";
-				}
-				$typestr .= "6";
-			}
-
-			// Append selector to DB query
-			$dbquery .= "AND status IN (".$typestr.") ";
 		}
 		$dbquery .= "ORDER BY timestamp ASC";
 		$stmt = $db->prepare($dbquery);
diff --git a/scripts/pi-hole/js/db_queries.js b/scripts/pi-hole/js/db_queries.js
index 67738ae7..3526cb04 100644
--- a/scripts/pi-hole/js/db_queries.js
+++ b/scripts/pi-hole/js/db_queries.js
@@ -143,32 +143,32 @@ function handleAjaxError( xhr, textStatus, error ) {
 
 function getQueryTypes()
 {
-    var queryType = 0;
+    var queryType = [];
     if($("#type_gravity").prop("checked"))
     {
-        queryType = 1;
+        queryType.push(1);
     }
     if($("#type_forwarded").prop("checked"))
     {
-        queryType += 1 << 1;
+        queryType.push(2);
     }
     if($("#type_cached").prop("checked"))
     {
-        queryType += 1 << 2;
+        queryType.push(3);
     }
     if($("#type_regex").prop("checked"))
     {
-        queryType += 1 << 3;
+        queryType.push(4);
     }
     if($("#type_blacklist").prop("checked"))
     {
-        queryType += 1 << 4;
+        queryType.push(5);
     }
     if($("#type_external").prop("checked"))
     {
-        queryType += 1 << 5;
+        queryType.push(6);
     }
-    return queryType;
+    return queryType.join(",");
 }
 
 var reloadCallback = function()
@@ -208,8 +208,9 @@ function refreshTableData() {
     var APIstring = "api_db.php?getAllQueries&from="+from+"&until="+until;
     // Check if query type filtering is enabled
     var queryType = getQueryTypes();
-    if(queryType !== 63) // 63 (0b00111111) = all possible query types are selected
+    if(queryType !== "1,2,3,4,5,6")
     {
+        console.log(queryType);
         APIstring += "&types="+queryType;
     }
     statistics = [0,0,0];