Skip to content
This repository has been archived by the owner on May 16, 2018. It is now read-only.

Commit

Permalink
Pgsql, Sqlite and Static selects need quotes
Browse files Browse the repository at this point in the history
  • Loading branch information
@mhujer
mhujer committed Jun 14, 2014
1 parent 187db6c commit 005bd71
Show file tree
Hide file tree
Showing 6 changed files with 66 additions and 0 deletions.
11 changes: 11 additions & 0 deletions tests/Zend/Db/Select/Pdo/PgsqlTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -126,4 +126,15 @@ public function testSelectFromSchemaInNameOverridesSchemaArgument()

$this->assertEquals(4, count($rowset));
}

public function testSqlInjectionWithOrder()
{
$select = $this->_db->select();
$select->from(array('p' => 'products'))->order('MD5(1);select');
$this->assertEquals('SELECT "p".* FROM "products" AS "p" ORDER BY "MD5(1);select" ASC', $select->assemble());

$select = $this->_db->select();
$select->from(array('p' => 'products'))->order('name;select;MD5(1)');
$this->assertEquals('SELECT "p".* FROM "products" AS "p" ORDER BY "name;select;MD5(1)" ASC', $select->assemble());
}
}
11 changes: 11 additions & 0 deletions tests/Zend/Db/Select/Pdo/SqliteTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -174,4 +174,15 @@ public function getDriver()
return 'Pdo_Sqlite';
}

public function testSqlInjectionWithOrder()
{
$select = $this->_db->select();
$select->from(array('p' => 'products'))->order('MD5(1);select');
$this->assertEquals('SELECT "p".* FROM "products" AS "p" ORDER BY "MD5(1);select" ASC', $select->assemble());

$select = $this->_db->select();
$select->from(array('p' => 'products'))->order('name;select;MD5(1)');
$this->assertEquals('SELECT "p".* FROM "products" AS "p" ORDER BY "name;select;MD5(1)" ASC', $select->assemble());
}

}
11 changes: 11 additions & 0 deletions tests/Zend/Db/Select/StaticTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -820,4 +820,15 @@ public function getDriver()
{
return 'Static';
}

public function testSqlInjectionWithOrder()
{
$select = $this->_db->select();
$select->from(array('p' => 'products'))->order('MD5(1);select');
$this->assertEquals('SELECT "p".* FROM "products" AS "p" ORDER BY "MD5(1);select" ASC', $select->assemble());

$select = $this->_db->select();
$select->from(array('p' => 'products'))->order('name;select;MD5(1)');
$this->assertEquals('SELECT "p".* FROM "products" AS "p" ORDER BY "name;select;MD5(1)" ASC', $select->assemble());
}
}
11 changes: 11 additions & 0 deletions tests/Zend/Db/Table/Select/Pdo/PgsqlTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -130,4 +130,15 @@ protected function _selectColumnWithColonQuotedParameter ()
->where($product_name . ' = ?', "as'as:x");
return $select;
}

public function testSqlInjectionWithOrder()
{
$select = $this->_db->select();
$select->from(array('p' => 'products'))->order('MD5(1);select');
$this->assertEquals('SELECT "p".* FROM "products" AS "p" ORDER BY "MD5(1);select" ASC', $select->assemble());

$select = $this->_db->select();
$select->from(array('p' => 'products'))->order('name;select;MD5(1)');
$this->assertEquals('SELECT "p".* FROM "products" AS "p" ORDER BY "name;select;MD5(1)" ASC', $select->assemble());
}
}
11 changes: 11 additions & 0 deletions tests/Zend/Db/Table/Select/Pdo/SqliteTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -178,4 +178,15 @@ public function getDriver()
return 'Pdo_Sqlite';
}

public function testSqlInjectionWithOrder()
{
$select = $this->_db->select();
$select->from(array('p' => 'products'))->order('MD5(1);select');
$this->assertEquals('SELECT "p".* FROM "products" AS "p" ORDER BY "MD5(1);select" ASC', $select->assemble());

$select = $this->_db->select();
$select->from(array('p' => 'products'))->order('name;select;MD5(1)');
$this->assertEquals('SELECT "p".* FROM "products" AS "p" ORDER BY "name;select;MD5(1)" ASC', $select->assemble());
}

}
11 changes: 11 additions & 0 deletions tests/Zend/Db/Table/Select/StaticTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -697,4 +697,15 @@ public function getDriver()
return 'Static';
}

public function testSqlInjectionWithOrder()
{
$select = $this->_db->select();
$select->from(array('p' => 'products'))->order('MD5(1);select');
$this->assertEquals('SELECT "p".* FROM "products" AS "p" ORDER BY "MD5(1);select" ASC', $select->assemble());

$select = $this->_db->select();
$select->from(array('p' => 'products'))->order('name;select;MD5(1)');
$this->assertEquals('SELECT "p".* FROM "products" AS "p" ORDER BY "name;select;MD5(1)" ASC', $select->assemble());
}

}

0 comments on commit 005bd71

Please sign in to comment.