Affected version: 3.7.3
Database: PostgreSQL 15 (manifests as 500; on MySQL it's silently wrong but functions)
Bug: In app/Domain/Users/Templates/editOwn.blade.php the profile-image URL is constructed as:
<img src='{{ BASE_URL }}/api/users?profileImage={{ $user['id'] }}?v={{ format($user['modified'])->timestamp() }}' ... />
Note the second ? (should be &). The browser sees ?profileImage=2?v=1778467798 as a single query-string value profileImage=2?v=1778467798. The /api/users controller receives $params['profileImage'] = '2?v=1778467798' and passes it to getProfilePicture() → SQL WHERE id = ? with the malformed string.
MySQL: silently truncates the string to integer 2; the query succeeds with the wrong-by-coincidence row.
Postgres: SQLSTATE[22P02]: Invalid text representation: invalid input syntax for type bigint: "2?v=1778467798" → 500.
Five other templates in the repo use the correct &v= pattern (loginInfo, headMenu, showAll comments, profile-image component, kanban user-avatar) — editOwn.blade.php is the lone outlier.
Proposed fix: Single character change, ?v= → &v=.
Affected version: 3.7.3
Database: PostgreSQL 15 (manifests as 500; on MySQL it's silently wrong but functions)
Bug: In app/Domain/Users/Templates/editOwn.blade.php the profile-image URL is constructed as:
<img src='{{ BASE_URL }}/api/users?profileImage={{ $user['id'] }}?v={{ format($user['modified'])->timestamp() }}' ... />
Note the second ? (should be &). The browser sees ?profileImage=2?v=1778467798 as a single query-string value profileImage=2?v=1778467798. The /api/users controller receives $params['profileImage'] = '2?v=1778467798' and passes it to getProfilePicture() → SQL WHERE id = ? with the malformed string.
MySQL: silently truncates the string to integer 2; the query succeeds with the wrong-by-coincidence row.
Postgres: SQLSTATE[22P02]: Invalid text representation: invalid input syntax for type bigint: "2?v=1778467798" → 500.
Five other templates in the repo use the correct &v= pattern (loginInfo, headMenu, showAll comments, profile-image component, kanban user-avatar) — editOwn.blade.php is the lone outlier.
Proposed fix: Single character change, ?v= → &v=.