phpBB 3.3.5 has a pretty serious bug in its migrations code. This bug is one of the reasons why Dave has asked people to avoid updating to phpBB 3.3.5. The bug in 3.3.5 can be demonstrated with the following migration function that does nothing more than create a JSON-encoded string as a
$config
variable. The function works correctly in all previous versions of phpBB that supported migrations.
Code: Select all public function update_data()
{
return array(
array('config.add', array('dd_migrationbug', '{"A":"101a","B":"102b","C":"103c","D":"104d","E":"105e","F":"106f","G":"107g","H":"108h","I":"109i","J":"110j","K":"111k","L":"112l","M":"113m","N":"114n","O":"115o","P":"116p","Q":"117q","R":"118r","S":"119s","T":"120t"}'))
);
}
The issue is in the
phpbb/config/db
.php file. The
set_atomic()
function now contains the following in its INSERT query:
Code: Select all 'config_name' => $this->db->sql_escape($key),
'config_value' => $this->db->sql_escape($new_value),
All previous versions of phpBB contained the following:
Code: Select all 'config_name' => $key,
'config_value' => $new_value,
The use of
sql_escape()
is incorrect -- the
sql_build_array()
function also calls this function with strings, which means the string is being double-escaped.
One hopes the phpBB devs fix this quickly, because it will undoubtedly result in a large number of broken extensions. The following ticket is the culprit:
https://tracker.phpbb.com/browse/PHPBB3-16870