update core to 7.36
This commit is contained in:
Bachir Soussi Chiadmi
@@ -238,7 +238,7 @@ class DatabaseConnectionTestCase extends DatabaseTestCase {
|
||||
// Open the default target so we have an object to compare.
|
||||
$db1 = Database::getConnection('default', 'default');
|
||||
|
||||
// Try to close the the default connection, then open a new one.
|
||||
// Try to close the default connection, then open a new one.
|
||||
Database::closeConnection('default', 'default');
|
||||
$db2 = Database::getConnection('default', 'default');
|
||||
|
||||
@@ -1947,6 +1947,15 @@ class DatabaseSelectOrderedTestCase extends DatabaseTestCase {
|
||||
|
||||
$this->assertEqual($num_records, 4, 'Returned the correct number of rows.');
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests that the sort direction is sanitized properly.
|
||||
*/
|
||||
function testOrderByEscaping() {
|
||||
$query = db_select('test')->orderBy('name', 'invalid direction');
|
||||
$order_bys = $query->getOrderBy();
|
||||
$this->assertEqual($order_bys['name'], 'ASC', 'Invalid order by direction is converted to ASC.');
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -3384,6 +3393,34 @@ class DatabaseQueryTestCase extends DatabaseTestCase {
|
||||
|
||||
$this->assertEqual(count($names), 3, 'Correct number of names returned');
|
||||
}
|
||||
|
||||
/**
|
||||
* Test SQL injection via database query array arguments.
|
||||
*/
|
||||
public function testArrayArgumentsSQLInjection() {
|
||||
// Attempt SQL injection and verify that it does not work.
|
||||
$condition = array(
|
||||
"1 ;INSERT INTO {test} (name) VALUES ('test12345678'); -- " => '',
|
||||
'1' => '',
|
||||
);
|
||||
try {
|
||||
db_query("SELECT * FROM {test} WHERE name = :name", array(':name' => $condition))->fetchObject();
|
||||
$this->fail('SQL injection attempt via array arguments should result in a PDOException.');
|
||||
}
|
||||
catch (PDOException $e) {
|
||||
$this->pass('SQL injection attempt via array arguments should result in a PDOException.');
|
||||
}
|
||||
|
||||
// Test that the insert query that was used in the SQL injection attempt did
|
||||
// not result in a row being inserted in the database.
|
||||
$result = db_select('test')
|
||||
->condition('name', 'test12345678')
|
||||
->countQuery()
|
||||
->execute()
|
||||
->fetchField();
|
||||
$this->assertFalse($result, 'SQL injection attempt did not result in a row being inserted in the database table.');
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -3417,12 +3454,14 @@ class DatabaseTransactionTestCase extends DatabaseTestCase {
|
||||
}
|
||||
|
||||
/**
|
||||
* Helper method for transaction unit test. This "outer layer" transaction
|
||||
* starts and then encapsulates the "inner layer" transaction. This nesting
|
||||
* is used to evaluate whether the the database transaction API properly
|
||||
* supports nesting. By "properly supports," we mean the outer transaction
|
||||
* continues to exist regardless of what functions are called and whether
|
||||
* those functions start their own transactions.
|
||||
* Helper method for transaction unit test.
|
||||
*
|
||||
* This "outer layer" transaction starts and then encapsulates the
|
||||
* "inner layer" transaction. This nesting is used to evaluate whether the
|
||||
* database transaction API properly supports nesting. By "properly supports,"
|
||||
* we mean the outer transaction continues to exist regardless of what
|
||||
* functions are called and whether those functions start their own
|
||||
* transactions.
|
||||
*
|
||||
* In contrast, a typical database would commit the outer transaction, start
|
||||
* a new transaction for the inner layer, commit the inner layer transaction,
|
||||
|
||||
Reference in New Issue
Block a user