[PHPBB3-10021] "Find a member" generates SQL error when large dates are entered

Details

Type: Bug
Status: Unverified Fix
Priority: Minor
Resolution: Fixed
Affects Version/s: 3.0.8
Fix Version/s: 3.0.9-RC1
Component/s: ACP
Labels:
None
Environment:
PHP 5.1.6 Mysql 5.0.77 (CentOS 5.5 Build)

GitHub Pull Request URL:
https://github.com/bantu/phpbb3/compare/ticket/10021
Fix URL:
https://github.com/phpbb/phpbb3/pull/109

Description

Entering an invalid date (20111-02-03 in this case) into the "Find a member" search forms "joined" input element results in SQL query error (General Error) copied below.

General Error
SQL ERROR [ mysqli ]

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 4 [1064]

SQL

SELECT COUNT(u.user_id) AS total_users FROM phpbb_users u WHERE u.user_type IN (0, 3) AND u.user_regdate <

BACKTRACE

FILE: includes/db/mysqli.php
LINE: 163
CALL: dbal->sql_error()

FILE: memberlist.php
LINE: 1263
CALL: dbal_mysqli->sql_query()

Issue Links

is related to

PHPBB3-10104 missing one intval() along with others already being there

Closed

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Ruslan Uzdenov added a comment - 07/Feb/11 3:48 PM

The cause of the issue is the fact that mktime () (and hence gmmktime()) can handle year values up to 2038 (at least on 32bit systems):

The number of the year, may be a two or four digit value, with values between 0-69 mapping to 2000-2069 and 70-100 to 1970-2000. On systems where time_t is a 32bit signed integer, as most common today, the valid range for year is somewhere between 1901 and 2038. However, before PHP 5.1.0 this range was limited from 1970 to 2038 on some systems (e.g. Windows).

PHP: mktime - Manual.

So use of 20111 may cause the problem on some installations.
Validation of "Joined" and "Last active" dates would be a good idea.

Show

Ruslan Uzdenov added a comment - 07/Feb/11 3:48 PM The cause of the issue is the fact that mktime () (and hence gmmktime()) can handle year values up to 2038 (at least on 32bit systems): The number of the year, may be a two or four digit value, with values between 0-69 mapping to 2000-2069 and 70-100 to 1970-2000. On systems where time_t is a 32bit signed integer, as most common today, the valid range for year is somewhere between 1901 and 2038. However, before PHP 5.1.0 this range was limited from 1970 to 2038 on some systems (e.g. Windows). PHP: mktime - Manual . So use of 20111 may cause the problem on some installations. Validation of "Joined" and "Last active" dates would be a good idea.

Hide

Permalink

Ruslan Uzdenov added a comment - 07/Feb/11 4:06 PM

Although validate_data() will be ineffective since validate_date() used in it applies ckeckdate() which allows year value between 1 and 32767 inclusive.

Show

Ruslan Uzdenov added a comment - 07/Feb/11 4:06 PM Although validate_data() will be ineffective since validate_date() used in it applies ckeckdate() which allows year value between 1 and 32767 inclusive.

Hide

Permalink

Andreas Fischer added a comment - 15/Mar/11 12:21 AM

Put the code into a function.

Show

Andreas Fischer added a comment - 15/Mar/11 12:21 AM Put the code into a function.

Hide

Permalink

Andreas Fischer added a comment - 18/Mar/11 1:54 AM

Looking at the code again, I would say there is only little gain in using a function.

Show

Andreas Fischer added a comment - 18/Mar/11 1:54 AM Looking at the code again, I would say there is only little gain in using a function.

Hide

Permalink

Andreas Fischer added a comment - 26/Mar/11 4:58 PM

Merged by Igor.

Show

Andreas Fischer added a comment - 26/Mar/11 4:58 PM Merged by Igor.

People

Assignee:

Andreas Fischer

Reporter:

siosal

Votes:

0 Vote for this issue

Watchers:

0 Start watching this issue

Dates

Created:

03/Feb/11 6:40 PM

Updated:

26/Mar/11 4:58 PM

Resolved:

18/Mar/11 1:54 AM

Details

Description

Issue Links

Activity

People

Dates

Development