CRM-19562

CRM/Contact/BAO/Query.php

@@ -3500,6 +3500,7 @@ public function includeContactIDs() {
         $contactIds[] = substr($values[0], CRM_Core_Form::CB_PREFIX_LEN);
       }
     }
+    CRM_Utils_Type::validateAll($contactIds, 'Positive');
     if (!empty($contactIds)) {
       $this->_where[0][] = " ( contact_a.id IN (" . implode(',', $contactIds) . " ) ) ";
     }

CRM/Utils/Type.php

@@ -299,6 +299,18 @@ public static function escape($data, $type, $abort = TRUE) {
     return NULL;
   }
 
+  /**
+   * Helper function to call validate on arrays
+   *
+   * @see validate
+   */
+  public static function validateAll($data, $type, $abort = TRUE) {
+    foreach ($data as $key => $value) {
+      $data[$key] = CRM_Utils_Type::validate($value, $type, $abort);
+    }
+    return $data;
+  }
+
   /**
    * Verify that a variable is of a given type.
    *

tests/phpunit/CRM/Contact/BAO/QueryTest.php

@@ -191,4 +191,34 @@ public function testSearchProfilePrimaryCityCRM14263() {
     }
   }
 
+  /**
+   * CRM-19562 ensure that only ids are used for contactid searching.
+   */
+  public function testContactIDClause() {
+    $params = array(
+      array("mark_x_2", "=", 1, 0, 0),
+      array("mark_x_foo@example.com", "=", 1, 0, 0),
+    );
+    $returnProperties = array(
+      "sort_name" => 1,
+      "email" => 1,
+      "do_not_email" => 1,
+      "is_deceased" => 1,
+      "on_hold" => 1,
+      "display_name" => 1,
+      "preferred_mail_format" => 1,
+    );
+    $numberofContacts = 2;
+    $query = new CRM_Contact_BAO_Query($params, $returnProperties);
+    try {
+      $query->apiQuery($params, $returnProperties, NULL, NULL, 0, $numberofContacts);
+    }
+    catch (Exception $e) {
+      $this->assertEquals("A fatal error was triggered: One of parameters  (value: foo@example.com) is not of the type Positive",
+        $e->getMessage());
+      return $this->assertTrue(TRUE);
+    }
+    return $this->fail('Test failed for some reason which is not good');
+  }
+
 }