function SelectTest::testVulnerableComment

Same name in other branches
  1. 8.9.x core/tests/Drupal/KernelTests/Core/Database/SelectTest.php \Drupal\KernelTests\Core\Database\SelectTest::testVulnerableComment()
  2. 10 core/tests/Drupal/KernelTests/Core/Database/SelectTest.php \Drupal\KernelTests\Core\Database\SelectTest::testVulnerableComment()
  3. 11.x core/tests/Drupal/KernelTests/Core/Database/SelectTest.php \Drupal\KernelTests\Core\Database\SelectTest::testVulnerableComment()

Tests query COMMENT system against vulnerabilities.

File

core/tests/Drupal/KernelTests/Core/Database/SelectTest.php, line 50

Class

SelectTest
Tests the Select query builder.

Namespace

Drupal\KernelTests\Core\Database

Code

public function testVulnerableComment() {
    $query = $this->connection
        ->select('test')
        ->comment('Testing query comments */ SELECT nid FROM {node}; --');
    $query->addField('test', 'name');
    $query->addField('test', 'age', 'age');
    $result = $query->execute();
    $records = $result->fetchAll();
    $query = (string) $query;
    $expected = "/* Testing query comments  * / SELECT nid FROM {node}. -- */";
    // Check the returned number of rows.
    $this->assertCount(4, $records);
    // Check that the flattened query contains the sanitized comment string.
    $this->assertStringContainsString($expected, $query);
    $connection = Database::getConnection();
    foreach ($this->makeCommentsProvider() as $test_set) {
        [
            $expected,
            $comments,
        ] = $test_set;
        $this->assertEquals($expected, $connection->makeComment($comments));
    }
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.