You are here

public function EntityQueryTest::testInjectionInCondition in Zircon Profile 8

Same name and namespace in other branches
  1. 8.0 core/modules/system/src/Tests/Entity/EntityQueryTest.php \Drupal\system\Tests\Entity\EntityQueryTest::testInjectionInCondition()

Test against SQL inject of condition field. This covers a database driver's EntityQuery\Condition class.

File

core/modules/system/src/Tests/Entity/EntityQueryTest.php, line 857
Contains \Drupal\system\Tests\Entity\EntityQueryTest.

Class

EntityQueryTest
Tests Entity Query functionality.

Namespace

Drupal\system\Tests\Entity

Code

public function testInjectionInCondition() {
  try {
    $this->queryResults = $this->factory
      ->get('entity_test_mulrev')
      ->condition('1 ; -- ', array(
      0,
      1,
    ), 'IN')
      ->sort('id')
      ->execute();
    $this
      ->fail('SQL Injection attempt in Entity Query condition in operator should result in an exception.');
  } catch (\Exception $e) {
    $this
      ->pass('SQL Injection attempt in Entity Query condition in operator should result in an exception.');
  }
}