Uploaded image for project: 'phpBB'
  1. phpBB
  2. PHPBB-13617

Bot session continuation with invalid f= query parameter causes SQL error

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • 3.0.14-RC1, 3.1.4-RC1
    • 3.0.13-PL1, 3.1.3
    • Sessions
    • None

      session_begin() and session_create() call session_update(), or in 3.0 simply run an SQL UPDATE query. This query is wrapped in return_on_error statements in session_begin() to avoid issues with a 3.0.2 update that modified the schema of the phpbb_sessions table. The session_create() call does not use return_on_error, it is only used to update bot sessions.

      The session_forum_id column is updated with the f query paramter cast to integer. However this may exceed the allowed values if either a negative parameter (f=-1) or an integer that is too big (f=2147483647) is specified. In this case MySQL returns "Out of range value for column 'session_forum_id' at row 1 " because we enable strict mode in the MySQL DBAL.

      • (3.1+ only) We should look into whether we can avoid using return_on_error for the UPDATE query to become aware of actual SQL errors.
      • (3.1+ only) We should move return_on_error treatment into the update function itself so it is dealt with in the same way in all places
      • We should limit the values for the f paramter to allowed values for the table column

            naderman Nils Adermann
            naderman Nils Adermann
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: