You are here

Home » API reference » Zircon Profile 8 » SelectTest.php » SelectTest

function SelectTest::testVulnerableComment in Zircon Profile 8

Same name and namespace in other branches
  1. 8.0 core/modules/system/src/Tests/Database/SelectTest.php \Drupal\system\Tests\Database\SelectTest::testVulnerableComment()

Tests query COMMENT system against vulnerabilities.

File

core/modules/system/src/Tests/Database/SelectTest.php, line 52
Contains \Drupal\system\Tests\Database\SelectTest.

Class

SelectTest
Tests the Select query builder.

Namespace

Drupal\system\Tests\Database

Code

function testVulnerableComment() {
  $query = db_select('test')
    ->comment('Testing query comments */ SELECT nid FROM {node}; --');
  $query
    ->addField('test', 'name');
  $query
    ->addField('test', 'age', 'age');
  $result = $query
    ->execute();
  $records = $result
    ->fetchAll();
  $query = (string) $query;
  $expected = "/* Testing query comments  * / SELECT nid FROM {node}. -- */ SELECT test.name AS name, test.age AS age\nFROM \n{test} test";
  $this
    ->assertEqual(count($records), 4, 'Returned the correct number of rows.');
  $this
    ->assertNotIdentical(FALSE, strpos($query, $expected), 'The flattened query contains the sanitised comment string.');
  $connection = Database::getConnection();
  foreach ($this
    ->makeCommentsProvider() as $test_set) {
    list($expected, $comments) = $test_set;
    $this
      ->assertEqual($expected, $connection
      ->makeComment($comments));
  }
}