1 database_test.test public DatabaseQueryTestCase::testArrayArgumentsSQLInjection()

Test SQL injection via database query array arguments.

File

core/modules/simpletest/tests/database_test.test, line 3202
Database tests.

Class

DatabaseQueryTestCase
Backdrop-specific SQL syntax tests.

Code

public function testArrayArgumentsSQLInjection() {
  // Attempt SQL injection and verify that it does not work.
  $condition = array(
    "1 ;INSERT INTO {test} SET name = 'test12345678'; -- " => '',
    '1' => '',
  );
  try {
    db_query("SELECT * FROM {test} WHERE name = :name", array(':name' => $condition))->fetchObject();
    $this->fail('SQL injection attempt via array arguments should result in a PDOException.');
  }
  catch (PDOException $e) {
    $this->pass('SQL injection attempt via array arguments should result in a PDOException.');
  }

  // Test that the insert query that was used in the SQL injection attempt did
  // not result in a row being inserted in the database.
  $result = db_select('test')
    ->condition('name', 'test12345678')
    ->countQuery()
    ->execute()
    ->fetchField();
  $this->assertFalse($result, 'SQL injection attempt did not result in a row being inserted in the database table.');
}