Merge "SECURITY: quote booleans as string (not integer) in DatabaseMysqlBase"

diff --combined includes/libs/rdbms/database/DatabaseMysqlBase.php
index f504ec4,b1c18b6..fb5fed7
--- 1/includes/libs/rdbms/database/DatabaseMysqlBase.php
--- 2/includes/libs/rdbms/database/DatabaseMysqlBase.php
+++ b/includes/libs/rdbms/database/DatabaseMysqlBase.php
@@@ -129,14 -129,14 +129,14 @@@ abstract class DatabaseMysqlBase extend
                        if ( !$error ) {
                                $error = $this->lastError();
                        }
 -                      $this->queryLogger->error(
 +                      $this->connLogger->error(
                                "Error connecting to {db_server}: {error}",
                                $this->getLogContext( [
                                        'method' => __METHOD__,
                                        'error' => $error,
                                ] )
                        );
 -                      $this->queryLogger->debug( "DB connection error\n" .
 +                      $this->connLogger->debug( "DB connection error\n" .
                                "Server: $server, User: $user, Password: " .
                                substr( $password, 0, 3 ) . "..., error: " . $error . "\n" );
  
@@@ -608,6 -608,16 +608,16 @@@
         */
        abstract protected function mysqlRealEscapeString( $s );
  
+       public function addQuotes( $s ) {
+               if ( is_bool( $s ) ) {
+                       // Parent would transform to int, which does not play nice with MySQL type juggling.
+                       // When searching for an int in a string column, the strings are cast to int, which
+                       // means false would match any string not starting with a number.
+                       $s = (string)(int)$s;
+               }
+               return parent::addQuotes( $s );
+       }
+ 
        /**
         * MySQL uses `backticks` for identifier quoting instead of the sql standard "double quotes".
         *