Support arrayrefref for table names
[dbsrgits/SQL-Abstract.git] / t / 20injection_guard.t
CommitLineData
b6251592 1use strict;
2use warnings;
3use Test::More;
4use Test::Exception;
5use SQL::Abstract::Test import => ['is_same_sql_bind'];
6use SQL::Abstract;
7
8my $sqla = SQL::Abstract->new;
9my $sqla_q = SQL::Abstract->new(quote_char => '"');
10
11throws_ok( sub {
12 $sqla->select(
13 'foo',
14 [ 'bar' ],
170e6c33 15 { 'bobby; tables' => 'bar' },
b6251592 16 );
17}, qr/Possible SQL injection attempt/, 'Injection thwarted on unquoted column' );
18
19my ($sql, @bind) = $sqla_q->select(
20 'foo',
21 [ 'bar' ],
170e6c33 22 { 'bobby; tables' => 'bar' },
b6251592 23);
24
25is_same_sql_bind (
26 $sql, \@bind,
170e6c33 27 'SELECT "bar" FROM "foo" WHERE ( "bobby; tables" = ? )',
b6251592 28 [ 'bar' ],
29 'Correct sql with quotes on'
30);
31
32
33for ($sqla, $sqla_q) {
34
35 throws_ok( sub {
36 $_->select(
37 'foo',
38 [ 'bar' ],
39 { x => { 'bobby; tables' => 'y' } },
40 );
41 }, qr/Possible SQL injection attempt/, 'Injection thwarted on top level op');
42
43 throws_ok( sub {
44 $_->select(
45 'foo',
46 [ 'bar' ],
47 { x => { '<' => { "-go\ndo some harm" => 'y' } } },
48 );
49 }, qr/Possible SQL injection attempt/, 'Injection thwarted on chained functions');
50}
51
52done_testing;