Commit 19b32a3a authored by catch's avatar catch

Issue #2357249 by Stefan Horst, greggles, larowlan, David_Rothstein, klausi:...

Issue #2357249 by Stefan Horst, greggles, larowlan, David_Rothstein, klausi: Fixed SA-CORE-2014-005 (SQL injection).
parent 5564d2cd
......@@ -596,7 +596,7 @@ protected function expandArguments(&$query, &$args) {
// to expand it out into a comma-delimited set of placeholders.
foreach (array_filter($args, 'is_array') as $key => $data) {
$new_keys = array();
foreach ($data as $i => $value) {
foreach (array_values($data) as $i => $value) {
// This assumes that there are no other placeholders that use the same
// name. For example, if the array placeholder is defined as :example
// and there is already an :example_2 placeholder, this will generate
......
......@@ -7,6 +7,8 @@
namespace Drupal\system\Tests\Database;
use Drupal\Core\Database\DatabaseExceptionWrapper;
/**
* Tests Drupal's extended prepared statement syntax..
*
......@@ -21,4 +23,32 @@ function testArraySubstitution() {
$this->assertEqual(count($names), 3, 'Correct number of names returned');
}
/**
* Tests SQL injection via database query array arguments.
*/
public function testArrayArgumentsSQLInjection() {
// Attempt SQL injection and verify that it does not work.
$condition = array(
"1 ;INSERT INTO {test} SET name = 'test12345678'; -- " => '',
'1' => '',
);
try {
db_query("SELECT * FROM {test} WHERE name = :name", array(':name' => $condition))->fetchObject();
$this->fail('SQL injection attempt via array arguments should result in a database exception.');
}
catch (DatabaseExceptionWrapper $e) {
$this->pass('SQL injection attempt via array arguments should result in a database exception.');
}
// Test that the insert query that was used in the SQL injection attempt did
// not result in a row being inserted in the database.
$result = db_select('test')
->condition('name', 'test12345678')
->countQuery()
->execute()
->fetchField();
$this->assertFalse($result, 'SQL injection attempt did not result in a row being inserted in the database table.');
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment