Skip to content
This repository has been archived by the owner on May 16, 2018. It is now read-only.

Commit

Permalink
Merge branch 'mhujer-fix-db-tests'
Browse files Browse the repository at this point in the history
  • Loading branch information
ezimuel committed Jun 16, 2014
2 parents 129f65c + 005bd71 commit 3f5a21e
Show file tree
Hide file tree
Showing 7 changed files with 68 additions and 2 deletions.
11 changes: 11 additions & 0 deletions tests/Zend/Db/Select/Pdo/PgsqlTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -126,4 +126,15 @@ public function testSelectFromSchemaInNameOverridesSchemaArgument()

$this->assertEquals(4, count($rowset));
}

public function testSqlInjectionWithOrder()
{
$select = $this->_db->select();
$select->from(array('p' => 'products'))->order('MD5(1);select');
$this->assertEquals('SELECT "p".* FROM "products" AS "p" ORDER BY "MD5(1);select" ASC', $select->assemble());

$select = $this->_db->select();
$select->from(array('p' => 'products'))->order('name;select;MD5(1)');
$this->assertEquals('SELECT "p".* FROM "products" AS "p" ORDER BY "name;select;MD5(1)" ASC', $select->assemble());
}
}
11 changes: 11 additions & 0 deletions tests/Zend/Db/Select/Pdo/SqliteTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -174,4 +174,15 @@ public function getDriver()
return 'Pdo_Sqlite';
}

public function testSqlInjectionWithOrder()
{
$select = $this->_db->select();
$select->from(array('p' => 'products'))->order('MD5(1);select');
$this->assertEquals('SELECT "p".* FROM "products" AS "p" ORDER BY "MD5(1);select" ASC', $select->assemble());

$select = $this->_db->select();
$select->from(array('p' => 'products'))->order('name;select;MD5(1)');
$this->assertEquals('SELECT "p".* FROM "products" AS "p" ORDER BY "name;select;MD5(1)" ASC', $select->assemble());
}

}
11 changes: 11 additions & 0 deletions tests/Zend/Db/Select/StaticTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -820,4 +820,15 @@ public function getDriver()
{
return 'Static';
}

public function testSqlInjectionWithOrder()
{
$select = $this->_db->select();
$select->from(array('p' => 'products'))->order('MD5(1);select');
$this->assertEquals('SELECT "p".* FROM "products" AS "p" ORDER BY "MD5(1);select" ASC', $select->assemble());

$select = $this->_db->select();
$select->from(array('p' => 'products'))->order('name;select;MD5(1)');
$this->assertEquals('SELECT "p".* FROM "products" AS "p" ORDER BY "name;select;MD5(1)" ASC', $select->assemble());
}
}
4 changes: 2 additions & 2 deletions tests/Zend/Db/Select/TestCommon.php
Original file line number Diff line number Diff line change
Expand Up @@ -1761,10 +1761,10 @@ public function testSqlInjectionWithOrder()
{
$select = $this->_db->select();
$select->from(array('p' => 'products'))->order('MD5(1);select');
$this->assertEquals($select, 'SELECT "p".* FROM "products" AS "p" ORDER BY "MD5(1);select" ASC');
$this->assertEquals('SELECT `p`.* FROM `products` AS `p` ORDER BY `MD5(1);select` ASC', $select->assemble());

$select = $this->_db->select();
$select->from(array('p' => 'products'))->order('name;select;MD5(1)');
$this->assertEquals($select, 'SELECT "p".* FROM "products" AS "p" ORDER BY "name;select;MD5(1)" ASC');
$this->assertEquals('SELECT `p`.* FROM `products` AS `p` ORDER BY `name;select;MD5(1)` ASC', $select->assemble());
}
}
11 changes: 11 additions & 0 deletions tests/Zend/Db/Table/Select/Pdo/PgsqlTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -130,4 +130,15 @@ protected function _selectColumnWithColonQuotedParameter ()
->where($product_name . ' = ?', "as'as:x");
return $select;
}

public function testSqlInjectionWithOrder()
{
$select = $this->_db->select();
$select->from(array('p' => 'products'))->order('MD5(1);select');
$this->assertEquals('SELECT "p".* FROM "products" AS "p" ORDER BY "MD5(1);select" ASC', $select->assemble());

$select = $this->_db->select();
$select->from(array('p' => 'products'))->order('name;select;MD5(1)');
$this->assertEquals('SELECT "p".* FROM "products" AS "p" ORDER BY "name;select;MD5(1)" ASC', $select->assemble());
}
}
11 changes: 11 additions & 0 deletions tests/Zend/Db/Table/Select/Pdo/SqliteTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -178,4 +178,15 @@ public function getDriver()
return 'Pdo_Sqlite';
}

public function testSqlInjectionWithOrder()
{
$select = $this->_db->select();
$select->from(array('p' => 'products'))->order('MD5(1);select');
$this->assertEquals('SELECT "p".* FROM "products" AS "p" ORDER BY "MD5(1);select" ASC', $select->assemble());

$select = $this->_db->select();
$select->from(array('p' => 'products'))->order('name;select;MD5(1)');
$this->assertEquals('SELECT "p".* FROM "products" AS "p" ORDER BY "name;select;MD5(1)" ASC', $select->assemble());
}

}
11 changes: 11 additions & 0 deletions tests/Zend/Db/Table/Select/StaticTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -697,4 +697,15 @@ public function getDriver()
return 'Static';
}

public function testSqlInjectionWithOrder()
{
$select = $this->_db->select();
$select->from(array('p' => 'products'))->order('MD5(1);select');
$this->assertEquals('SELECT "p".* FROM "products" AS "p" ORDER BY "MD5(1);select" ASC', $select->assemble());

$select = $this->_db->select();
$select->from(array('p' => 'products'))->order('name;select;MD5(1)');
$this->assertEquals('SELECT "p".* FROM "products" AS "p" ORDER BY "name;select;MD5(1)" ASC', $select->assemble());
}

}

0 comments on commit 3f5a21e

Please sign in to comment.