| Commit | Line | Data |
|---|
| b6251592 |
1 | use strict; |
| 2 | use warnings; |
| 3 | use Test::More; |
| 4 | use Test::Exception; |
| 5 | use SQL::Abstract::Test import => ['is_same_sql_bind']; |
| 6 | use SQL::Abstract; |
| 7 | |
| 8 | my $sqla = SQL::Abstract->new; |
| 9 | my $sqla_q = SQL::Abstract->new(quote_char => '"'); |
| 10 | |
| 11 | throws_ok( sub { |
| 12 | $sqla->select( |
| 13 | 'foo', |
| 14 | [ 'bar' ], |
| 170e6c33 |
15 | { 'bobby; tables' => 'bar' }, |
| b6251592 |
16 | ); |
| 17 | }, qr/Possible SQL injection attempt/, 'Injection thwarted on unquoted column' ); |
| 18 | |
| 19 | my ($sql, @bind) = $sqla_q->select( |
| 20 | 'foo', |
| 21 | [ 'bar' ], |
| 170e6c33 |
22 | { 'bobby; tables' => 'bar' }, |
| b6251592 |
23 | ); |
| 24 | |
| 25 | is_same_sql_bind ( |
| 26 | $sql, \@bind, |
| 170e6c33 |
27 | 'SELECT "bar" FROM "foo" WHERE ( "bobby; tables" = ? )', |
| b6251592 |
28 | [ 'bar' ], |
| 29 | 'Correct sql with quotes on' |
| 30 | ); |
| 31 | |
| 32 | |
| 33 | for ($sqla, $sqla_q) { |
| 34 | |
| 35 | throws_ok( sub { |
| 36 | $_->select( |
| 37 | 'foo', |
| 38 | [ 'bar' ], |
| 39 | { x => { 'bobby; tables' => 'y' } }, |
| 40 | ); |
| 41 | }, qr/Possible SQL injection attempt/, 'Injection thwarted on top level op'); |
| 42 | |
| 43 | throws_ok( sub { |
| 44 | $_->select( |
| 45 | 'foo', |
| 46 | [ 'bar' ], |
| 47 | { x => { '<' => { "-go\ndo some harm" => 'y' } } }, |
| 48 | ); |
| 49 | }, qr/Possible SQL injection attempt/, 'Injection thwarted on chained functions'); |
| 50 | } |
| 51 | |
| 52 | done_testing; |
projects / dbsrgits/SQL-Abstract.git / blame