CRM-19562

diff --git a/CRM/Contact/BAO/Query.php b/CRM/Contact/BAO/Query.php
index db5ab176e911669638f7839fac4b138af7f2d9c0..6a94a784f1e81aeecb2859bef59f4b38c47a7acf 100644 (file)
--- a/CRM/Contact/BAO/Query.php
+++ b/CRM/Contact/BAO/Query.php
@@ -3500,6 +3500,7 @@ WHERE  $smartGroupClause
         $contactIds[] = substr($values[0], CRM_Core_Form::CB_PREFIX_LEN);
       }
     }
+    CRM_Utils_Type::validateAll($contactIds, 'Positive');
     if (!empty($contactIds)) {
       $this->_where[0][] = " ( contact_a.id IN (" . implode(',', $contactIds) . " ) ) ";
     }

diff --git a/tests/phpunit/CRM/Contact/BAO/QueryTest.php b/tests/phpunit/CRM/Contact/BAO/QueryTest.php
index c183636153ed7dea625d29368a8c0f07ed38f13a..1d56eff01f23466df23c29eae657e791f33884a4 100644 (file)
--- a/tests/phpunit/CRM/Contact/BAO/QueryTest.php
+++ b/tests/phpunit/CRM/Contact/BAO/QueryTest.php
@@ -191,4 +191,32 @@ class CRM_Contact_BAO_QueryTest extends CiviUnitTestCase {
     }
   }
 
+  /**
+   * CRM-19562 ensure that only ids are used for contactid searching.
+   */
+  public function testContactIDClause() {
+    $params = array(
+      array("mark_x_93980", "=", 1, 0, 0),
+      array("mark_x_foo@example.com", "=", 1, 0, 0),
+    );
+    $returnProperties = array(
+      "sort_name" => 1,
+      "email" => 1,
+      "do_not_email" => 1,
+      "is_deceased" => 1,
+      "on_hold" => 1,
+      "display_name" => 1,
+      "preferred_mail_format" => 1,
+    );
+    $numberofContacts = 2;
+    $query = new CRM_Contact_BAO_Query($params, $returnProperties);
+    try {
+      $query->apiQuery($params, $returnProperties, NULL, NULL, 0, $numberofContacts);
+    }
+    catch (Exception $e) {
+      $this->assertEquals("A fatal error was triggered: One of parameters  (value: foo@example.com) is not of the type Positive",
+        $e->getMessage());
+    }
+  }
+
 }