You are here

Home » API reference » Zircon Profile 8 » QueryTest.php

class QueryTest in Zircon Profile 8

Same name in this branch
  1. 8 core/modules/views_ui/src/Tests/QueryTest.php \Drupal\views_ui\Tests\QueryTest
  2. 8 core/modules/views/src/Tests/Plugin/QueryTest.php \Drupal\views\Tests\Plugin\QueryTest
  3. 8 core/modules/system/src/Tests/Database/QueryTest.php \Drupal\system\Tests\Database\QueryTest
  4. 8 core/tests/Drupal/Tests/Core/Entity/Query/Sql/QueryTest.php \Drupal\Tests\Core\Entity\Query\Sql\QueryTest
  5. 8 core/modules/views/tests/modules/views_test_data/src/Plugin/views/query/QueryTest.php \Drupal\views_test_data\Plugin\views\query\QueryTest
Same name and namespace in other branches
  1. 8.0 core/modules/system/src/Tests/Database/QueryTest.php \Drupal\system\Tests\Database\QueryTest

Tests Drupal's extended prepared statement syntax..

@group Database

Hierarchy

Expanded class hierarchy of QueryTest

1 string reference to 'QueryTest'
QueryTest::calculateDependencies in core/modules/views/tests/modules/views_test_data/src/Plugin/views/query/QueryTest.php
Calculates dependencies for the configured plugin.

File

core/modules/system/src/Tests/Database/QueryTest.php, line 15
Contains \Drupal\system\Tests\Database\QueryTest.

Namespace

Drupal\system\Tests\Database
View source 
class QueryTest extends DatabaseTestBase {

  /**
   * Tests that we can pass an array of values directly in the query.
   */
  function testArraySubstitution() {
    $names = db_query('SELECT name FROM {test} WHERE age IN ( :ages[] ) ORDER BY age', array(
      ':ages[]' => array(
        25,
        26,
        27,
      ),
    ))
      ->fetchAll();
    $this
      ->assertEqual(count($names), 3, 'Correct number of names returned');
    $names = db_query('SELECT name FROM {test} WHERE age IN ( :ages[] ) ORDER BY age', array(
      ':ages[]' => array(
        25,
      ),
    ))
      ->fetchAll();
    $this
      ->assertEqual(count($names), 1, 'Correct number of names returned');
  }

  /**
   * Tests that we can not pass a scalar value when an array is expected.
   */
  function testScalarSubstitution() {
    try {
      $names = db_query('SELECT name FROM {test} WHERE age IN ( :ages[] ) ORDER BY age', array(
        ':ages[]' => 25,
      ))
        ->fetchAll();
      $this
        ->fail('Array placeholder with scalar argument should result in an exception.');
    } catch (\InvalidArgumentException $e) {
      $this
        ->pass('Array placeholder with scalar argument should result in an exception.');
    }
  }

  /**
   * Tests SQL injection via database query array arguments.
   */
  public function testArrayArgumentsSQLInjection() {

    // Attempt SQL injection and verify that it does not work.
    $condition = array(
      "1 ;INSERT INTO {test} (name) VALUES ('test12345678'); -- " => '',
      '1' => '',
    );
    try {
      db_query("SELECT * FROM {test} WHERE name = :name", array(
        ':name' => $condition,
      ))
        ->fetchObject();
      $this
        ->fail('SQL injection attempt via array arguments should result in a database exception.');
    } catch (\InvalidArgumentException $e) {
      $this
        ->pass('SQL injection attempt via array arguments should result in a database exception.');
    }

    // Test that the insert query that was used in the SQL injection attempt did
    // not result in a row being inserted in the database.
    $result = db_select('test')
      ->condition('name', 'test12345678')
      ->countQuery()
      ->execute()
      ->fetchField();
    $this
      ->assertFalse($result, 'SQL injection attempt did not result in a row being inserted in the database table.');
  }

  /**
   * Tests SQL injection via condition operator.
   */
  public function testConditionOperatorArgumentsSQLInjection() {
    $injection = "IS NOT NULL) ;INSERT INTO {test} (name) VALUES ('test12345678'); -- ";

    // Convert errors to exceptions for testing purposes below.
    set_error_handler(function ($severity, $message, $filename, $lineno) {
      throw new \ErrorException($message, 0, $severity, $filename, $lineno);
    });
    try {
      $result = db_select('test', 't')
        ->fields('t')
        ->condition('name', 1, $injection)
        ->execute();
      $this
        ->fail('Should not be able to attempt SQL injection via condition operator.');
    } catch (\ErrorException $e) {
      $this
        ->pass('SQL injection attempt via condition arguments should result in a database exception.');
    }

    // Test that the insert query that was used in the SQL injection attempt did
    // not result in a row being inserted in the database.
    $result = db_select('test')
      ->condition('name', 'test12345678')
      ->countQuery()
      ->execute()
      ->fetchField();
    $this
      ->assertFalse($result, 'SQL injection attempt did not result in a row being inserted in the database table.');

    // Attempt SQLi via union query with no unsafe characters.
    $this
      ->enableModules([
      'user',
    ]);
    $this
      ->installEntitySchema('user');
    db_insert('test')
      ->fields([
      'name' => '123456',
    ])
      ->execute();
    $injection = "= 1 UNION ALL SELECT password FROM user WHERE uid =";
    try {
      $result = db_select('test', 't')
        ->fields('t', array(
        'name',
        'name',
      ))
        ->condition('name', 1, $injection)
        ->execute();
      $this
        ->fail('Should not be able to attempt SQL injection via operator.');
    } catch (\ErrorException $e) {
      $this
        ->pass('SQL injection attempt via condition arguments should result in a database exception.');
    }

    // Attempt SQLi via union query - uppercase tablename.
    db_insert('TEST_UPPERCASE')
      ->fields([
      'name' => 'secrets',
    ])
      ->execute();
    $injection = "IS NOT NULL) UNION ALL SELECT name FROM {TEST_UPPERCASE} -- ";
    try {
      $result = db_select('test', 't')
        ->fields('t', array(
        'name',
      ))
        ->condition('name', 1, $injection)
        ->execute();
      $this
        ->fail('Should not be able to attempt SQL injection via operator.');
    } catch (\ErrorException $e) {
      $this
        ->pass('SQL injection attempt via condition arguments should result in a database exception.');
    }
    restore_error_handler();
  }

  /**
   * Tests numeric query parameter expansion in expressions.
   *
   * @see \Drupal\Core\Database\Driver\sqlite\Statement::getStatement()
   * @see http://bugs.php.net/bug.php?id=45259
   */
  public function testNumericExpressionSubstitution() {
    $count = db_query('SELECT COUNT(*) >= 3 FROM {test}')
      ->fetchField();
    $this
      ->assertEqual((bool) $count, TRUE);
    $count = db_query('SELECT COUNT(*) >= :count FROM {test}', array(
      ':count' => 3,
    ))
      ->fetchField();
    $this
      ->assertEqual((bool) $count, TRUE);
  }

}

Members

Namesort descending Modifiers Type Description Overrides
AssertContentTrait::$content protected property The current raw content.
AssertContentTrait::$drupalSettings protected property The drupalSettings value from the current raw $content.
AssertContentTrait::$elements protected property The XML structure parsed from the current raw $content. 2
AssertContentTrait::$plainTextContent protected property The plain-text content of raw $content (text nodes).
AssertContentTrait::assertEscaped protected function Passes if the raw text IS found escaped on the loaded page, fail otherwise.
AssertContentTrait::assertField protected function Asserts that a field exists with the given name or ID.
AssertContentTrait::assertFieldById protected function Asserts that a field exists with the given ID and value.
AssertContentTrait::assertFieldByName protected function Asserts that a field exists with the given name and value.
AssertContentTrait::assertFieldByXPath protected function Asserts that a field exists in the current page by the given XPath.
AssertContentTrait::assertFieldChecked protected function Asserts that a checkbox field in the current page is checked.
AssertContentTrait::assertFieldsByValue protected function Asserts that a field exists in the current page with a given Xpath result.
AssertContentTrait::assertLink protected function Passes if a link with the specified label is found.
AssertContentTrait::assertLinkByHref protected function Passes if a link containing a given href (part) is found.
AssertContentTrait::assertNoDuplicateIds protected function Asserts that each HTML ID is used for just a single element.
AssertContentTrait::assertNoEscaped protected function Passes if the raw text IS NOT found escaped on the loaded page, fail otherwise.
AssertContentTrait::assertNoField protected function Asserts that a field does not exist with the given name or ID.
AssertContentTrait::assertNoFieldById protected function Asserts that a field does not exist with the given ID and value.
AssertContentTrait::assertNoFieldByName protected function Asserts that a field does not exist with the given name and value.
AssertContentTrait::assertNoFieldByXPath protected function Asserts that a field does not exist or its value does not match, by XPath.
AssertContentTrait::assertNoFieldChecked protected function Asserts that a checkbox field in the current page is not checked.
AssertContentTrait::assertNoLink protected function Passes if a link with the specified label is not found.
AssertContentTrait::assertNoLinkByHref protected function Passes if a link containing a given href (part) is not found.
AssertContentTrait::assertNoLinkByHrefInMainRegion protected function Passes if a link containing a given href is not found in the main region.
AssertContentTrait::assertNoOption protected function Asserts that a select option in the current page does not exist.
AssertContentTrait::assertNoOptionSelected protected function Asserts that a select option in the current page is not checked.
AssertContentTrait::assertNoPattern protected function Triggers a pass if the perl regex pattern is not found in raw content.
AssertContentTrait::assertNoRaw protected function Passes if the raw text is NOT found on the loaded page, fail otherwise.
AssertContentTrait::assertNoText protected function Passes if the page (with HTML stripped) does not contains the text.
AssertContentTrait::assertNoTitle protected function Pass if the page title is not the given string.
AssertContentTrait::assertNoUniqueText protected function Passes if the text is found MORE THAN ONCE on the text version of the page.
AssertContentTrait::assertOption protected function Asserts that a select option in the current page exists.
AssertContentTrait::assertOptionSelected protected function Asserts that a select option in the current page is checked.
AssertContentTrait::assertOptionSelectedWithDrupalSelector protected function Asserts that a select option in the current page is checked.
AssertContentTrait::assertOptionWithDrupalSelector protected function Asserts that a select option in the current page exists.
AssertContentTrait::assertPattern protected function Triggers a pass if the Perl regex pattern is found in the raw content.
AssertContentTrait::assertRaw protected function Passes if the raw text IS found on the loaded page, fail otherwise.
AssertContentTrait::assertText protected function Passes if the page (with HTML stripped) contains the text.
AssertContentTrait::assertTextHelper protected function Helper for assertText and assertNoText.
AssertContentTrait::assertTextPattern protected function Asserts that a Perl regex pattern is found in the plain-text content.
AssertContentTrait::assertThemeOutput protected function Asserts themed output.
AssertContentTrait::assertTitle protected function Pass if the page title is the given string.
AssertContentTrait::assertUniqueText protected function Passes if the text is found ONLY ONCE on the text version of the page.
AssertContentTrait::assertUniqueTextHelper protected function Helper for assertUniqueText and assertNoUniqueText.
AssertContentTrait::buildXPathQuery protected function Builds an XPath query.
AssertContentTrait::constructFieldXpath protected function Helper: Constructs an XPath for the given set of attributes and value.
AssertContentTrait::cssSelect protected function Searches elements using a CSS selector in the raw content.
AssertContentTrait::getAllOptions protected function Get all option elements, including nested options, in a select.
AssertContentTrait::getDrupalSettings protected function Gets the value of drupalSettings for the currently-loaded page.
AssertContentTrait::getRawContent protected function Gets the current raw content.
AssertContentTrait::getSelectedItem protected function Get the selected value from a select field.
AssertContentTrait::getTextContent protected function Retrieves the plain-text content from the current raw content.
AssertContentTrait::getUrl protected function Get the current URL from the cURL handler. 1
AssertContentTrait::parse protected function Parse content returned from curlExec using DOM and SimpleXML.
AssertContentTrait::removeWhiteSpace protected function Removes all white-space between HTML tags from the raw content.
AssertContentTrait::setDrupalSettings protected function Sets the value of drupalSettings for the currently-loaded page.
AssertContentTrait::setRawContent protected function Sets the raw content (e.g. HTML).
AssertContentTrait::xpath protected function Performs an xpath search on the contents of the internal browser.
AssertHelperTrait::castSafeStrings protected function Casts MarkupInterface objects into strings.
DatabaseTestBase::$modules public static property Modules to enable. Overrides KernelTestBase::$modules 3
DatabaseTestBase::addSampleData static function Sets up our sample data.
DatabaseTestBase::ensureSampleDataNull function Sets up tables for NULL handling.
DatabaseTestBase::setUp protected function Performs setup tasks before each individual test method is run. Overrides KernelTestBase::setUp
KernelTestBase::$configDirectories protected property The configuration directories for this test run.
KernelTestBase::$keyValueFactory protected property A KeyValueMemoryFactory instance to use when building the container.
KernelTestBase::$moduleFiles private property
KernelTestBase::$streamWrappers protected property Array of registered stream wrappers.
KernelTestBase::$themeFiles private property
KernelTestBase::beforePrepareEnvironment protected function Act on global state information before the environment is altered for a test. Overrides TestBase::beforePrepareEnvironment
KernelTestBase::containerBuild public function Sets up the base service container for this test. 12
KernelTestBase::defaultLanguageData protected function Provides the data for setting the default language on the container. 1
KernelTestBase::disableModules protected function Disables modules for this test.
KernelTestBase::enableModules protected function Enables modules for this test.
KernelTestBase::installConfig protected function Installs default configuration for a given list of modules.
KernelTestBase::installEntitySchema protected function Installs the storage schema for a specific entity type.
KernelTestBase::installSchema protected function Installs a specific table from a module schema definition.
KernelTestBase::prepareConfigDirectories protected function Create and set new configuration directories. 1
KernelTestBase::registerStreamWrapper protected function Registers a stream wrapper for this test.
KernelTestBase::render protected function Renders a render array.
KernelTestBase::tearDown protected function Performs cleanup tasks after each individual test method has been run. Overrides TestBase::tearDown
KernelTestBase::__construct function Constructor for Test. Overrides TestBase::__construct
QueryTest::testArrayArgumentsSQLInjection public function Tests SQL injection via database query array arguments.
QueryTest::testArraySubstitution function Tests that we can pass an array of values directly in the query.
QueryTest::testConditionOperatorArgumentsSQLInjection public function Tests SQL injection via condition operator.
QueryTest::testNumericExpressionSubstitution public function Tests numeric query parameter expansion in expressions.
QueryTest::testScalarSubstitution function Tests that we can not pass a scalar value when an array is expected.
RandomGeneratorTrait::$randomGenerator protected property The random generator.
RandomGeneratorTrait::getRandomGenerator protected function Gets the random generator for the utility methods.
RandomGeneratorTrait::randomMachineName protected function Generates a unique random string containing letters and numbers.
RandomGeneratorTrait::randomObject public function Generates a random PHP object.
RandomGeneratorTrait::randomString public function Generates a pseudo-random string of ASCII characters of codes 32 to 126.
RandomGeneratorTrait::randomStringValidate public function Callback for random string validation.
SessionTestTrait::$sessionName protected property The name of the session cookie.
SessionTestTrait::generateSessionName protected function Generates a session cookie name.
SessionTestTrait::getSessionName protected function Returns the session name in use on the child site.
TestBase::$assertions protected property Assertions thrown in that test case.
TestBase::$configImporter protected property The config importer that can used in a test. 5
TestBase::$configSchemaCheckerExclusions protected static property An array of config object names that are excluded from schema checking.
TestBase::$container protected property The dependency injection container used in the test.
TestBase::$databasePrefix protected property The database prefix of this test run.
TestBase::$dieOnFail public property Whether to die in case any test assertion fails.
TestBase::$httpAuthCredentials protected property HTTP authentication credentials (<username>:<password>).
TestBase::$httpAuthMethod protected property HTTP authentication method (specified as a CURLAUTH_* constant).
TestBase::$kernel protected property The DrupalKernel instance used in the test. 1
TestBase::$originalConf protected property The original configuration (variables), if available.
TestBase::$originalConfig protected property The original configuration (variables).
TestBase::$originalConfigDirectories protected property The original configuration directories.
TestBase::$originalContainer protected property The original container.
TestBase::$originalFileDirectory protected property The original file directory, before it was changed for testing purposes.
TestBase::$originalLanguage protected property The original language.
TestBase::$originalPrefix protected property The original database prefix when running inside Simpletest.
TestBase::$originalProfile protected property The original installation profile.
TestBase::$originalSessionName protected property The name of the session cookie of the test-runner.
TestBase::$originalSettings protected property The settings array.
TestBase::$originalShutdownCallbacks protected property The original array of shutdown function callbacks. 1
TestBase::$originalSite protected property The site directory of the original parent site.
TestBase::$originalUser protected property The original user, before testing began. 1
TestBase::$privateFilesDirectory protected property The private file directory for the test environment.
TestBase::$publicFilesDirectory protected property The public file directory for the test environment.
TestBase::$results public property Current results of this test case.
TestBase::$siteDirectory protected property The site directory of this test run.
TestBase::$skipClasses protected property This class is skipped when looking for the source of an assertion.
TestBase::$strictConfigSchema protected property Set to TRUE to strict check all configuration saved. 4
TestBase::$tempFilesDirectory protected property The temporary file directory for the test environment.
TestBase::$testId protected property The test run ID.
TestBase::$timeLimit protected property Time limit for the test.
TestBase::$translationFilesDirectory protected property The translation file directory for the test environment.
TestBase::$verbose public property TRUE if verbose debugging is enabled.
TestBase::$verboseClassName protected property Safe class name for use in verbose output filenames.
TestBase::$verboseDirectory protected property Directory where verbose output files are put.
TestBase::$verboseDirectoryUrl protected property URL to the verbose output file directory.
TestBase::$verboseId protected property Incrementing identifier for verbose output filenames.
TestBase::assert protected function Internal helper: stores the assert.
TestBase::assertEqual protected function Check to see if two values are equal.
TestBase::assertErrorLogged protected function Asserts that a specific error has been logged to the PHP error log.
TestBase::assertFalse protected function Check to see if a value is false.
TestBase::assertIdentical protected function Check to see if two values are identical.
TestBase::assertIdenticalObject protected function Checks to see if two objects are identical.
TestBase::assertNoErrorsLogged protected function Asserts that no errors have been logged to the PHP error.log thus far.
TestBase::assertNotEqual protected function Check to see if two values are not equal.
TestBase::assertNotIdentical protected function Check to see if two values are not identical.
TestBase::assertNotNull protected function Check to see if a value is not NULL.
TestBase::assertNull protected function Check to see if a value is NULL.
TestBase::assertTrue protected function Check to see if a value is not false.
TestBase::changeDatabasePrefix private function Changes the database connection to the prefixed one.
TestBase::checkRequirements protected function Checks the matching requirements for Test. 2
TestBase::config protected function Configuration accessor for tests. Returns non-overridden configuration.
TestBase::configImporter public function Returns a ConfigImporter object to import test importing of configuration. 5
TestBase::copyConfig public function Copies configuration objects from source storage to target storage.
TestBase::deleteAssert public static function Delete an assertion record by message ID.
TestBase::error protected function Fire an error assertion. 3
TestBase::errorHandler public function Handle errors during test runs.
TestBase::exceptionHandler protected function Handle exceptions.
TestBase::fail protected function Fire an assertion that is always negative.
TestBase::filePreDeleteCallback public static function Ensures test files are deletable within file_unmanaged_delete_recursive().
TestBase::generatePermutations public static function Converts a list of possible parameters into a stack of permutations.
TestBase::getAssertionCall protected function Cycles through backtrace until the first non-assertion method is found.
TestBase::getConfigSchemaExclusions protected function Gets the config schema exclusions for this test.
TestBase::getDatabaseConnection public static function Returns the database connection to the site running Simpletest.
TestBase::getDatabasePrefix public function Gets the database prefix.
TestBase::getTempFilesDirectory public function Gets the temporary files directory.
TestBase::insertAssert public static function Store an assertion from outside the testing context.
TestBase::pass protected function Fire an assertion that is always positive.
TestBase::prepareDatabasePrefix private function Generates a database prefix for running tests.
TestBase::prepareEnvironment private function Prepares the current environment for running the test.
TestBase::restoreEnvironment private function Cleans up the test environment and restores the original environment.
TestBase::run public function Run all tests in this class. 1
TestBase::settingsSet protected function Changes in memory settings.
TestBase::storeAssertion protected function Helper method to store an assertion record in the configured database.
TestBase::verbose protected function Logs a verbose message in a text file.