function CoderSecurityTest::testSecuritySQLVariableInjection in Coder 6
Same name and namespace in other branches
- 6.2 tests/coder_security.test \CoderSecurityTest::testSecuritySQLVariableInjection()
File
- tests/
coder_security.test, line 28
Class
Code
function testSecuritySQLVariableInjection() {
$this
->assertCoderFail(' $results = db_query("SELECT * FROM {node} WHERE nid=$nid");');
$this
->assertCoderPass(' $results = db_query("SELECT * FROM {false_accounts} WHERE uids REGEXP \'^%s,|,%s,|,%s$\'");');
$this
->assertCoderPass(' $results = db_query("SELECT COUNT(n.nid) FROM {node} n INNER JOIN {node_revisions} r USING (nid, vid) WHERE n.type=\'%s\' AND (r.title REGEXP \'^[^[:alpha:]].*$\')");');
$this
->assertCoderFail(' $results = db_query("SELECT COUNT(n.nid) FROM {node} n INNER JOIN {node_revisions} r USING (nid, vid) WHERE n.type=\'%s\' AND (r.title REGEXP \'^[^[:alpha:]].*$\') AND nid=$nid");');
$this
->assertCoderFail(' $results = db_query("SELECT COUNT(n.nid) FROM {node} n INNER JOIN {node_revisions} r USING (nid, vid) WHERE n.type=$type AND (r.title REGEXP \'^[^[:alpha:]].*$\')");');
$this
->assertCoderFail(' $results = db_query("SELECT * FROM {foo} WHERE name=$name");');
$this
->assertCoderFail(' db_query("INSERT INTO {foo} SET name=\'$name\'");');
$this
->assertCoderFail(' $sql = "INSERT INTO {foo} SET name=\'$name\'";');
$this
->assertCoderPass(' update_sql("INSERT INTO {foo} SET name=\'$name\'");');
$this
->assertCoderPass(' db_result(db_query("SELECT filename FROM {system} WHERE name = \'%s\'", "ad_$detail->adtype"));');
}