function DatabaseQueryTestCase::testArrayArgumentsSQLInjection

Test SQL injection via database query array arguments.

File

modules/simpletest/tests/database_test.test, line 3613

Class

DatabaseQueryTestCase: Drupal-specific SQL syntax tests.

Code

public function testArrayArgumentsSQLInjection() {
    // Attempt SQL injection and verify that it does not work.
    $condition = array(
        "1 ;INSERT INTO {test} (name) VALUES ('test12345678'); -- " => '',
        '1' => '',
    );
    try {
        db_query("SELECT * FROM {test} WHERE name = :name", array(
            ':name' => $condition,
        ))->fetchObject();
        $this->fail('SQL injection attempt via array arguments should result in a PDOException.');
    } catch (PDOException $e) {
        $this->pass('SQL injection attempt via array arguments should result in a PDOException.');
    }
    // Test that the insert query that was used in the SQL injection attempt did
    // not result in a row being inserted in the database.
    $result = db_select('test')->condition('name', 'test12345678')
        ->countQuery()
        ->execute()
        ->fetchField();
    $this->assertFalse($result, 'SQL injection attempt did not result in a row being inserted in the database table.');
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.

function DatabaseQueryTestCase::testArrayArgumentsSQLInjection

File

Class

Code

Search drupal 7.x

API Navigation

Breadcrumb

function DatabaseQueryTestCase::testArrayArgumentsSQLInjection

File

Class

Code

Search drupal 7.x

API Navigation