public function DatabaseQueryTestCase::testArrayArgumentsSQLInjection

Test SQL injection via database query array arguments.

File

drupal/modules/simpletest/tests/database_test.test, line 3437

Class

DatabaseQueryTestCase: Drupal-specific SQL syntax tests.

Code

public function testArrayArgumentsSQLInjection() {

  // Attempt SQL injection and verify that it does not work.
  $condition = array(
    "1 ;INSERT INTO {test} (name) VALUES ('test12345678'); -- " => '',
    '1' => '',
  );
  try {
    db_query("SELECT * FROM {test} WHERE name = :name", array(
      ':name' => $condition,
    ))
      ->fetchObject();
    $this
      ->fail('SQL injection attempt via array arguments should result in a PDOException.');
  } catch (PDOException $e) {
    $this
      ->pass('SQL injection attempt via array arguments should result in a PDOException.');
  }

  // Test that the insert query that was used in the SQL injection attempt did
  // not result in a row being inserted in the database.
  $result = db_select('test')
    ->condition('name', 'test12345678')
    ->countQuery()
    ->execute()
    ->fetchField();
  $this
    ->assertFalse($result, 'SQL injection attempt did not result in a row being inserted in the database table.');
}

Main menu

Search Drupal 7.x

API Navigation

public function DatabaseQueryTestCase::testArrayArgumentsSQLInjection

File

Class

Code

Main menu

You are here

Search Drupal 7.x

API Navigation

public function DatabaseQueryTestCase::testArrayArgumentsSQLInjection

File

Class

Code