Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-13617

Bot session continuation with invalid f= query parameter causes SQL error



      session_begin() and session_create() call session_update(), or in 3.0 simply run an SQL UPDATE query. This query is wrapped in return_on_error statements in session_begin() to avoid issues with a 3.0.2 update that modified the schema of the phpbb_sessions table. The session_create() call does not use return_on_error, it is only used to update bot sessions.

      The session_forum_id column is updated with the f query paramter cast to integer. However this may exceed the allowed values if either a negative parameter (f=-1) or an integer that is too big (f=2147483647) is specified. In this case MySQL returns "Out of range value for column 'session_forum_id' at row 1 " because we enable strict mode in the MySQL DBAL.

      • (3.1+ only) We should look into whether we can avoid using return_on_error for the UPDATE query to become aware of actual SQL errors.
      • (3.1+ only) We should move return_on_error treatment into the update function itself so it is dealt with in the same way in all places
      • We should limit the values for the f paramter to allowed values for the table column




            • Assignee:
              naderman Nils Adermann
              naderman Nils Adermann
            • Votes:
              0 Vote for this issue
              2 Start watching this issue


              • Created: