You are here

public function SelectTest::testVulnerableComment in Drupal 10

Same name and namespace in other branches
  1. 8 core/tests/Drupal/KernelTests/Core/Database/SelectTest.php \Drupal\KernelTests\Core\Database\SelectTest::testVulnerableComment()
  2. 9 core/tests/Drupal/KernelTests/Core/Database/SelectTest.php \Drupal\KernelTests\Core\Database\SelectTest::testVulnerableComment()

Tests query COMMENT system against vulnerabilities.

File

core/tests/Drupal/KernelTests/Core/Database/SelectTest.php, line 50

Class

SelectTest
Tests the Select query builder.

Namespace

Drupal\KernelTests\Core\Database

Code

public function testVulnerableComment() {
  $query = $this->connection
    ->select('test')
    ->comment('Testing query comments */ SELECT nid FROM {node}; --');
  $query
    ->addField('test', 'name');
  $query
    ->addField('test', 'age', 'age');
  $result = $query
    ->execute();
  $records = $result
    ->fetchAll();
  $query = (string) $query;
  $expected = "/* Testing query comments  * / SELECT nid FROM {node}. -- */";

  // Check the returned number of rows.
  $this
    ->assertCount(4, $records);

  // Check that the flattened query contains the sanitized comment string.
  $this
    ->assertStringContainsString($expected, $query);
  $connection = Database::getConnection();
  foreach ($this
    ->makeCommentsProvider() as $test_set) {
    [
      $expected,
      $comments,
    ] = $test_set;
    $this
      ->assertEquals($expected, $connection
      ->makeComment($comments));
  }
}