diff options
author | David Rothstein <drothstein@gmail.com> | 2014-10-15 11:38:18 -0400 |
---|---|---|
committer | David Rothstein <drothstein@gmail.com> | 2014-10-15 11:38:18 -0400 |
commit | b4844afdcadbaa7e4f3ad9a237f17126b94dc483 (patch) | |
tree | d402b658862e2d9ac82724702a39f97b5779f8fe /modules/simpletest | |
parent | f2c8d9550ec95b207dde99f45050b81337ae0065 (diff) | |
parent | 131a6f5129b18f3913ba5882111797f8588c5aaf (diff) | |
download | brdo-b4844afdcadbaa7e4f3ad9a237f17126b94dc483.tar.gz brdo-b4844afdcadbaa7e4f3ad9a237f17126b94dc483.tar.bz2 |
Merge tag '7.32' into 7.x
7.32 release
Conflicts:
CHANGELOG.txt
includes/bootstrap.inc
Diffstat (limited to 'modules/simpletest')
-rw-r--r-- | modules/simpletest/tests/database_test.test | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/modules/simpletest/tests/database_test.test b/modules/simpletest/tests/database_test.test index dba04b27b..209bf6813 100644 --- a/modules/simpletest/tests/database_test.test +++ b/modules/simpletest/tests/database_test.test @@ -3384,6 +3384,34 @@ class DatabaseQueryTestCase extends DatabaseTestCase { $this->assertEqual(count($names), 3, 'Correct number of names returned'); } + + /** + * Test SQL injection via database query array arguments. + */ + public function testArrayArgumentsSQLInjection() { + // Attempt SQL injection and verify that it does not work. + $condition = array( + "1 ;INSERT INTO {test} SET name = 'test12345678'; -- " => '', + '1' => '', + ); + try { + db_query("SELECT * FROM {test} WHERE name = :name", array(':name' => $condition))->fetchObject(); + $this->fail('SQL injection attempt via array arguments should result in a PDOException.'); + } + catch (PDOException $e) { + $this->pass('SQL injection attempt via array arguments should result in a PDOException.'); + } + + // Test that the insert query that was used in the SQL injection attempt did + // not result in a row being inserted in the database. + $result = db_select('test') + ->condition('name', 'test12345678') + ->countQuery() + ->execute() + ->fetchField(); + $this->assertFalse($result, 'SQL injection attempt did not result in a row being inserted in the database table.'); + } + } /** |