Révision dae300e8
Ajouté par Julien Enselme il y a plus de 9 ans
| drupal7/modules/simpletest/tests/database_test.test | ||
|---|---|---|
| 3384 | 3384 |
|
| 3385 | 3385 |
$this->assertEqual(count($names), 3, 'Correct number of names returned'); |
| 3386 | 3386 |
} |
| 3387 |
|
|
| 3388 |
/** |
|
| 3389 |
* Test SQL injection via database query array arguments. |
|
| 3390 |
*/ |
|
| 3391 |
public function testArrayArgumentsSQLInjection() {
|
|
| 3392 |
// Attempt SQL injection and verify that it does not work. |
|
| 3393 |
$condition = array( |
|
| 3394 |
"1 ;INSERT INTO {test} SET name = 'test12345678'; -- " => '',
|
|
| 3395 |
'1' => '', |
|
| 3396 |
); |
|
| 3397 |
try {
|
|
| 3398 |
db_query("SELECT * FROM {test} WHERE name = :name", array(':name' => $condition))->fetchObject();
|
|
| 3399 |
$this->fail('SQL injection attempt via array arguments should result in a PDOException.');
|
|
| 3400 |
} |
|
| 3401 |
catch (PDOException $e) {
|
|
| 3402 |
$this->pass('SQL injection attempt via array arguments should result in a PDOException.');
|
|
| 3403 |
} |
|
| 3404 |
|
|
| 3405 |
// Test that the insert query that was used in the SQL injection attempt did |
|
| 3406 |
// not result in a row being inserted in the database. |
|
| 3407 |
$result = db_select('test')
|
|
| 3408 |
->condition('name', 'test12345678')
|
|
| 3409 |
->countQuery() |
|
| 3410 |
->execute() |
|
| 3411 |
->fetchField(); |
|
| 3412 |
$this->assertFalse($result, 'SQL injection attempt did not result in a row being inserted in the database table.'); |
|
| 3413 |
} |
|
| 3414 |
|
|
| 3387 | 3415 |
} |
| 3388 | 3416 |
|
| 3389 | 3417 |
/** |
Formats disponibles : Unified diff
Udpate to 7.32