function DatabaseQueryTestCase::testConditionOperatorArgumentsSQLInjection

Tests SQL injection via condition operator.

File

modules/simpletest/tests/database_test.test, line 3640

Class

DatabaseQueryTestCase
Drupal-specific SQL syntax tests.

Code

public function testConditionOperatorArgumentsSQLInjection() {
    $injection = "IS NOT NULL); INSERT INTO {test} (name) VALUES ('test12345678'); -- ";
    try {
        $result = db_select('test', 't')->fields('t')
            ->condition('name', 1, $injection)
            ->execute();
        $this->fail('Should not be able to attempt SQL injection via condition operator.');
    } catch (InvalidQueryConditionOperatorException $e) {
        $this->pass('SQL injection attempt via condition arguments should result in a database exception.');
    }
    // Test that the insert query that was used in the SQL injection attempt did
    // not result in a row being inserted in the database.
    $result = db_select('test')->condition('name', 'test12345678')
        ->countQuery()
        ->execute()
        ->fetchField();
    $this->assertFalse($result, 'SQL injection attempt did not result in a row being inserted in the database table.');
    // Attempt SQLi via union query with no unsafe characters.
    db_insert('test')->fields(array(
        'name' => '123456',
    ))
        ->execute();
    $injection = "= 1 UNION ALL SELECT password FROM user WHERE uid =";
    try {
        $result = db_select('test', 't')->fields('t', array(
            'name',
            'name',
        ))
            ->condition('name', 1, $injection)
            ->execute();
        $this->fail('Should not be able to attempt SQL injection via operator.');
    } catch (InvalidQueryConditionOperatorException $e) {
        $this->pass('SQL injection attempt via condition arguments should result in a database exception.');
    }
    // Attempt SQLi via union query - uppercase tablename.
    db_insert('TEST_UPPERCASE')->fields(array(
        'name' => 'secrets',
    ))
        ->execute();
    $injection = "IS NOT NULL) UNION ALL SELECT name FROM {TEST_UPPERCASE} -- ";
    try {
        $result = db_select('test', 't')->fields('t', array(
            'name',
        ))
            ->condition('name', 1, $injection)
            ->execute();
        $this->fail('Should not be able to attempt SQL injection via operator.');
    } catch (InvalidQueryConditionOperatorException $e) {
        $this->pass('SQL injection attempt via condition arguments should result in a database exception.');
    }
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.