View source
<?php
namespace Drupal\KernelTests\Core\Database;
class QueryTest extends DatabaseTestBase {
public function testArraySubstitution() {
$names = $this->connection
->query('SELECT [name] FROM {test} WHERE [age] IN ( :ages[] ) ORDER BY [age]', [
':ages[]' => [
25,
26,
27,
],
])
->fetchAll();
$this
->assertCount(3, $names, 'Correct number of names returned');
$names = $this->connection
->query('SELECT [name] FROM {test} WHERE [age] IN ( :ages[] ) ORDER BY [age]', [
':ages[]' => [
25,
],
])
->fetchAll();
$this
->assertCount(1, $names, 'Correct number of names returned');
}
public function testScalarSubstitution() {
try {
$names = $this->connection
->query('SELECT [name] FROM {test} WHERE [age] IN ( :ages[] ) ORDER BY [age]', [
':ages[]' => 25,
])
->fetchAll();
$this
->fail('Array placeholder with scalar argument should result in an exception.');
} catch (\Exception $e) {
$this
->assertInstanceOf(\InvalidArgumentException::class, $e);
}
}
public function testArrayArgumentsSQLInjection() {
$condition = [
"1 ;INSERT INTO {test} (name) VALUES ('test12345678'); -- " => '',
'1' => '',
];
try {
$this->connection
->query("SELECT * FROM {test} WHERE [name] = :name", [
':name' => $condition,
])
->fetchObject();
$this
->fail('SQL injection attempt via array arguments should result in a database exception.');
} catch (\InvalidArgumentException $e) {
}
$result = $this->connection
->select('test')
->condition('name', 'test12345678')
->countQuery()
->execute()
->fetchField();
$this
->assertEquals(0, $result, 'SQL injection attempt did not result in a row being inserted in the database table.');
}
public function testConditionOperatorArgumentsSQLInjection() {
$injection = "IS NOT NULL) ;INSERT INTO {test} (name) VALUES ('test12345678'); -- ";
$previous_error_handler = set_error_handler(function ($severity, $message, $filename, $lineno) use (&$previous_error_handler) {
if (preg_match('@core/lib/Drupal/Core/Database/Query/Condition.php$@', str_replace(DIRECTORY_SEPARATOR, '/', $filename))) {
throw new \ErrorException($message, 0, $severity, $filename, $lineno);
}
if ($previous_error_handler) {
return $previous_error_handler($severity, $message, $filename, $lineno);
}
});
try {
$result = $this->connection
->select('test', 't')
->fields('t')
->condition('name', 1, $injection)
->execute();
$this
->fail('Should not be able to attempt SQL injection via condition operator.');
} catch (\ErrorException $e) {
}
$result = $this->connection
->select('test')
->condition('name', 'test12345678')
->countQuery()
->execute()
->fetchField();
$this
->assertEquals(0, $result, 'SQL injection attempt did not result in a row being inserted in the database table.');
$this
->enableModules([
'user',
]);
$this
->installEntitySchema('user');
$this->connection
->insert('test')
->fields([
'name' => '123456',
])
->execute();
$injection = "= 1 UNION ALL SELECT password FROM user WHERE uid =";
try {
$result = $this->connection
->select('test', 't')
->fields('t', [
'name',
'name',
])
->condition('name', 1, $injection)
->execute();
$this
->fail('Should not be able to attempt SQL injection via operator.');
} catch (\ErrorException $e) {
}
$this->connection
->insert('TEST_UPPERCASE')
->fields([
'name' => 'secrets',
])
->execute();
$injection = "IS NOT NULL) UNION ALL SELECT name FROM {TEST_UPPERCASE} -- ";
try {
$result = $this->connection
->select('test', 't')
->fields('t', [
'name',
])
->condition('name', 1, $injection)
->execute();
$this
->fail('Should not be able to attempt SQL injection via operator.');
} catch (\ErrorException $e) {
}
restore_error_handler();
}
public function testNumericExpressionSubstitution() {
$count_expected = $this->connection
->query('SELECT COUNT(*) + 3 FROM {test}')
->fetchField();
$count = $this->connection
->query('SELECT COUNT(*) + :count FROM {test}', [
':count' => 3,
])
->fetchField();
$this
->assertEquals($count_expected, $count);
}
public function testQuotingIdentifiers() {
$result = $this->connection
->query('SELECT [update] FROM {select}')
->fetchObject();
$this
->assertEquals('Update value 1', $result->update);
}
}