Révision dae300e8
Ajouté par Julien Enselme il y a plus de 9 ans
drupal7/modules/simpletest/tests/database_test.test | ||
---|---|---|
3384 | 3384 |
|
3385 | 3385 |
$this->assertEqual(count($names), 3, 'Correct number of names returned'); |
3386 | 3386 |
} |
3387 |
|
|
3388 |
/** |
|
3389 |
* Test SQL injection via database query array arguments. |
|
3390 |
*/ |
|
3391 |
public function testArrayArgumentsSQLInjection() { |
|
3392 |
// Attempt SQL injection and verify that it does not work. |
|
3393 |
$condition = array( |
|
3394 |
"1 ;INSERT INTO {test} SET name = 'test12345678'; -- " => '', |
|
3395 |
'1' => '', |
|
3396 |
); |
|
3397 |
try { |
|
3398 |
db_query("SELECT * FROM {test} WHERE name = :name", array(':name' => $condition))->fetchObject(); |
|
3399 |
$this->fail('SQL injection attempt via array arguments should result in a PDOException.'); |
|
3400 |
} |
|
3401 |
catch (PDOException $e) { |
|
3402 |
$this->pass('SQL injection attempt via array arguments should result in a PDOException.'); |
|
3403 |
} |
|
3404 |
|
|
3405 |
// Test that the insert query that was used in the SQL injection attempt did |
|
3406 |
// not result in a row being inserted in the database. |
|
3407 |
$result = db_select('test') |
|
3408 |
->condition('name', 'test12345678') |
|
3409 |
->countQuery() |
|
3410 |
->execute() |
|
3411 |
->fetchField(); |
|
3412 |
$this->assertFalse($result, 'SQL injection attempt did not result in a row being inserted in the database table.'); |
|
3413 |
} |
|
3414 |
|
|
3387 | 3415 |
} |
3388 | 3416 |
|
3389 | 3417 |
/** |
Formats disponibles : Unified diff
Udpate to 7.32