From 449c7028749767f2de5eff4bbba04ba27346056f Mon Sep 17 00:00:00 2001
From: David Rothstein <drothstein@gmail.com>
Date: Wed, 15 Oct 2014 10:36:05 -0400
Subject: Tests for SA-CORE-2014-005 by Stefan Horst, greggles, larowlan,
 David_Rothstein, klausi

---
 modules/simpletest/tests/database_test.test | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

(limited to 'modules/simpletest')

diff --git a/modules/simpletest/tests/database_test.test b/modules/simpletest/tests/database_test.test
index dba04b27b..209bf6813 100644
--- a/modules/simpletest/tests/database_test.test
+++ b/modules/simpletest/tests/database_test.test
@@ -3384,6 +3384,34 @@ class DatabaseQueryTestCase extends DatabaseTestCase {
 
     $this->assertEqual(count($names), 3, 'Correct number of names returned');
   }
+
+  /**
+   * Test SQL injection via database query array arguments.
+   */
+  public function testArrayArgumentsSQLInjection() {
+    // Attempt SQL injection and verify that it does not work.
+    $condition = array(
+      "1 ;INSERT INTO {test} SET name = 'test12345678'; -- " => '',
+      '1' => '',
+    );
+    try {
+      db_query("SELECT * FROM {test} WHERE name = :name", array(':name' => $condition))->fetchObject();
+      $this->fail('SQL injection attempt via array arguments should result in a PDOException.');
+    }
+    catch (PDOException $e) {
+      $this->pass('SQL injection attempt via array arguments should result in a PDOException.');
+    }
+
+    // Test that the insert query that was used in the SQL injection attempt did
+    // not result in a row being inserted in the database.
+    $result = db_select('test')
+      ->condition('name', 'test12345678')
+      ->countQuery()
+      ->execute()
+      ->fetchField();
+    $this->assertFalse($result, 'SQL injection attempt did not result in a row being inserted in the database table.');
+  }
+
 }
 
 /**
-- 
cgit v1.2.3