You are here

Home » API reference » Zircon Profile 8 » QueryTest.php » QueryTest

public function QueryTest::testArrayArgumentsSQLInjection in Zircon Profile 8

Same name and namespace in other branches
  1. 8.0 core/modules/system/src/Tests/Database/QueryTest.php \Drupal\system\Tests\Database\QueryTest::testArrayArgumentsSQLInjection()

Tests SQL injection via database query array arguments.

File

core/modules/system/src/Tests/Database/QueryTest.php, line 45
Contains \Drupal\system\Tests\Database\QueryTest.

Class

QueryTest
Tests Drupal's extended prepared statement syntax..

Namespace

Drupal\system\Tests\Database

Code

public function testArrayArgumentsSQLInjection() {

  // Attempt SQL injection and verify that it does not work.
  $condition = array(
    "1 ;INSERT INTO {test} (name) VALUES ('test12345678'); -- " => '',
    '1' => '',
  );
  try {
    db_query("SELECT * FROM {test} WHERE name = :name", array(
      ':name' => $condition,
    ))
      ->fetchObject();
    $this
      ->fail('SQL injection attempt via array arguments should result in a database exception.');
  } catch (\InvalidArgumentException $e) {
    $this
      ->pass('SQL injection attempt via array arguments should result in a database exception.');
  }

  // Test that the insert query that was used in the SQL injection attempt did
  // not result in a row being inserted in the database.
  $result = db_select('test')
    ->condition('name', 'test12345678')
    ->countQuery()
    ->execute()
    ->fetchField();
  $this
    ->assertFalse($result, 'SQL injection attempt did not result in a row being inserted in the database table.');
}