Here's a break down of what they did...
================================
$tmp=strstr($QUERY_STRING, "XCARTSESSID=");
// Find the xcart session ID in the search string
if (!empty($tmp))
// If the session ID is found do the following
$QUERY_STRING=ereg_replace("XCARTSESSID=([0-9a-zA-Z]*)", "", $QUERY_STRING);
// Strip out the xcart session ID and its value then replace it with nothing, then set $QUERY_STRING equal to the resulting value
if(!empty($QUERY_STRING)) {
// if the resulting value is not empty then do the following
================================
They then just bipassed all that with:
================================
if(isset($substring)) {
// if you have a substring (the value submitted by the form) then run the following code
================================
Weird thing is, that the code they stripped out is in my search.php file and it works well. 
Hope that's clear! 