Bot session continuation with invalid f= query parameter causes SQL error

session_begin() and session_create() call session_update(), or in 3.0 simply run an SQL UPDATE query. This query is wrapped in return_on_error statements in session_begin() to avoid issues with a 3.0.2 update that modified the schema of the phpbb_sessions table. The session_create() call does not use return_on_error, it is only used to update bot sessions.

The session_forum_id column is updated with the f query paramter cast to integer. However this may exceed the allowed values if either a negative parameter (f=-1) or an integer that is too big (f=2147483647) is specified. In this case MySQL returns "Out of range value for column 'session_forum_id' at row 1 " because we enable strict mode in the MySQL DBAL.

• (3.1+ only) We should look into whether we can avoid using return_on_error for the UPDATE query to become aware of actual SQL errors.
• (3.1+ only) We should move return_on_error treatment into the update function itself so it is dealt with in the same way in all places
• We should limit the values for the f paramter to allowed values for the table column