Fixed getQuotedUserIds does not validate post id's are ints, and MySQL reacts poorly

Affected version
2.1.1

Xon

Well-known member
While this function (XF\Service\Post\Preparer::getQuotedUserIds) quotes the post id's parsed from the [quote] tag, a malformed tag can cause non-integers to be passed to the MySQL. This then causes type juggling and weird behaviour.

For example;
SQL:
explain
SELECT post_id, user_id
FROM xf_post
WHERE post_id IN (3021963, '3025958\"')
Code:
+------+-------------+---------+-------+---------------+---------+---------+------+----------+--------------------------+
| id   | select_type | table   | type  | possible_keys | key     | key_len | ref  | rows     | Extra                    |
+------+-------------+---------+-------+---------------+---------+---------+------+----------+--------------------------+
|    1 | SIMPLE      | xf_post | index | PRIMARY       | user_id | 4       | NULL | 33638006 | Using where; Using index |
+------+-------------+---------+-------+---------------+---------+---------+------+----------+--------------------------+

The expected query plan should be;
SQL:
explain
SELECT post_id, user_id FROM xf_post WHERE post_id IN (3021963, 3025958);
Code:
+------+-------------+---------+-------+---------------+---------+---------+------+------+-------------+
| id   | select_type | table   | type  | possible_keys | key     | key_len | ref  | rows | Extra       |
+------+-------------+---------+-------+---------------+---------+---------+------+------+-------------+
|    1 | SIMPLE      | xf_post | range | PRIMARY       | PRIMARY | 4       | NULL |    2 | Using where |
+------+-------------+---------+-------+---------------+---------+---------+------+------+-------------+
 

XF Bug Bot

XenForo bug fixer bot
Staff member
Thank you for reporting this issue. It has now been resolved and we are aiming to include it in a future XF release (2.1.2).

Change log:
Cast quoted post IDs to integers before querying for their user IDs.
Any changes made as a result of this issue being resolved may not be rolled out here until later.
 
Top