You are here

Home » API reference » Drupal driver for SQL Server and SQL Azure 7.2 » sqlsrv.select.test » SqlServerSelectTest

public function SqlServerSelectTest::testBadKeysInArrayArguments in Drupal driver for SQL Server and SQL Azure 7.2

Same name and namespace in other branches
  1. 7.3 tests/sqlsrv.select.test \SqlServerSelectTest::testBadKeysInArrayArguments()
  2. 7 tests/sqlsrv.select.test \SqlServerSelectTest::testBadKeysInArrayArguments()

Test for weird key names in array arguments.

File

tests/sqlsrv.select.test, line 170
Support tests for SQL Server.

Class

SqlServerSelectTest
@file Support tests for SQL Server.

Code

public function testBadKeysInArrayArguments() {
  $params[':nids'] = array(
    'uid1' => -9,
    'What a bad placeholder name, why should we care?' => -6,
  );
  $result = NULL;
  try {

    // The regular expandArguments implementation will fail to
    // properly expand the associative array with weird keys, OH, and actually
    // you can perform some SQL Injection through the array keys.
    $result = db_query('SELECT COUNT(*) FROM USERS WHERE USERS.UID IN (:nids)', $params)
      ->fetchField();
  } catch (\Exception $err) {

    // Regular drupal will fail with
    // SQLSTATE[IMSSP]: An error occurred substituting the named parameters.
    // https://www.drupal.org/node/2146839
  }

  // User ID's are negative, so this should return 0 matches.
  $this
    ->assertEqual($result, 0, 'Returned the correct number of total rows.');
}