I am "fixing" my elkarte site via upgrading as it seems it was still using 1.0.2 base but stuck at the above. How do I resolve that? Any help appreciated.
My early research shows that there might be an SQL injection. Huh!? How to fix this? And how to prevent further injection attack?May be not as it seems that the error is caused by this upgrade line for mysql:
upgrade_query("
UPDATE {$db_prefix}settings
SET value = {string:value}
WHERE variable = {string:variable}",
array(
'value' => $modSettings['avatar_max_height_external'],
'variable' => 'avatar_max_height'
)
);
upgrade_query("
UPDATE {$db_prefix}settings
SET value = {string:value}
WHERE variable = {string:variable}",
array(
'value' => $modSettings['avatar_max_width_external'],
'variable' => 'avatar_max_width'
)
);
I'll need to read and understand the manual now. Sigh...
Could be something simple like $modSettings['avatar_max_height_external'] is not set? Seems like that should be wrapped in an if !empty but not sure ... can always replace those with '0' and after the upgrade go to the ACP and set the values you want (assuming that is the problem)
Easier than that: simply upgrade_query doesn't work the same as db->query.
That code is broken, but it's nothing new, the upgrade was never actually tested because it has never been "distributed" (i.e. put in a zip and attached to a release).
Just upload the files, and then make sure to visit the avatars admin area and save the settings. That would be more than enough. ;)
Yup. I did that alternative. May be that upgrade can be tested later.
In the development branch the upgrade has been almost entirely rewritten (at least some of it) to work with Elk-standard queries style.
It needs testing of course.