My early research shows that there might be an SQL injection. Huh!? How to fix this? And how to prevent further injection attack?
May be not as it seems that the error is caused by this upgrade line for mysql:
upgrade_query("
UPDATE {$db_prefix}settings
SET value = {string:value}
WHERE variable = {string:variable}",
array(
'value' => $modSettings['avatar_max_height_external'],
'variable' => 'avatar_max_height'
)
);
upgrade_query("
UPDATE {$db_prefix}settings
SET value = {string:value}
WHERE variable = {string:variable}",
array(
'value' => $modSettings['avatar_max_width_external'],
'variable' => 'avatar_max_width'
)
);
I'll need to read and understand the manual now. Sigh...