Skip to content
GitLab
Menu
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
project
drupal
Commits
449c7028
Commit
449c7028
authored
Oct 15, 2014
by
David_Rothstein
Browse files
Tests for SA-
CORE-2014
-005 by Stefan Horst, greggles, larowlan, David_Rothstein, klausi
parent
26a7752c
Changes
1
Hide whitespace changes
Inline
Side-by-side
modules/simpletest/tests/database_test.test
View file @
449c7028
...
...
@@ -3384,6 +3384,34 @@ class DatabaseQueryTestCase extends DatabaseTestCase {
$this
->
assertEqual
(
count
(
$names
),
3
,
'Correct number of names returned'
);
}
/**
* Test SQL injection via database query array arguments.
*/
public
function
testArrayArgumentsSQLInjection
()
{
// Attempt SQL injection and verify that it does not work.
$condition
=
array
(
"1 ;INSERT INTO
{
test
}
SET name = 'test12345678'; -- "
=>
''
,
'1'
=>
''
,
);
try
{
db_query
(
"SELECT * FROM
{
test
}
WHERE name = :name"
,
array
(
':name'
=>
$condition
))
->
fetchObject
();
$this
->
fail
(
'SQL injection attempt via array arguments should result in a PDOException.'
);
}
catch
(
PDOException
$e
)
{
$this
->
pass
(
'SQL injection attempt via array arguments should result in a PDOException.'
);
}
// Test that the insert query that was used in the SQL injection attempt did
// not result in a row being inserted in the database.
$result
=
db_select
(
'test'
)
->
condition
(
'name'
,
'test12345678'
)
->
countQuery
()
->
execute
()
->
fetchField
();
$this
->
assertFalse
(
$result
,
'SQL injection attempt did not result in a row being inserted in the database table.'
);
}
}
/**
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment