public function DatabaseQueryTestCase::testArrayArgumentsSQLInjection in Drupal 7

Test SQL injection via database query array arguments.

File

modules/simpletest/tests/database_test.test, line 3443

Class

DatabaseQueryTestCase: Drupal-specific SQL syntax tests.

Code

public function testArrayArgumentsSQLInjection() {

  // Attempt SQL injection and verify that it does not work.
  $condition = array(
    "1 ;INSERT INTO {test} (name) VALUES ('test12345678'); -- " => '',
    '1' => '',
  );
  try {
    db_query("SELECT * FROM {test} WHERE name = :name", array(
      ':name' => $condition,
    ))
      ->fetchObject();
    $this
      ->fail('SQL injection attempt via array arguments should result in a PDOException.');
  } catch (PDOException $e) {
    $this
      ->pass('SQL injection attempt via array arguments should result in a PDOException.');
  }

  // Test that the insert query that was used in the SQL injection attempt did
  // not result in a row being inserted in the database.
  $result = db_select('test')
    ->condition('name', 'test12345678')
    ->countQuery()
    ->execute()
    ->fetchField();
  $this
    ->assertFalse($result, 'SQL injection attempt did not result in a row being inserted in the database table.');
}

You are here

public function DatabaseQueryTestCase::testArrayArgumentsSQLInjection in Drupal 7

File

Class

Code

API Navigation