1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
use strict;
use warnings;
use Test::More;
use Test::Exception;
use SQL::Abstract::Test import => ['is_same_sql_bind'];
use SQL::Abstract;
my $sqla = SQL::Abstract->new;
my $sqla_q = SQL::Abstract->new(quote_char => '"');
throws_ok( sub {
$sqla->select(
'foo',
[ 'bar' ],
{ 'bobby; tables' => 'bar' },
);
}, qr/Possible SQL injection attempt/, 'Injection thwarted on unquoted column' );
my ($sql, @bind) = $sqla_q->select(
'foo',
[ 'bar' ],
{ 'bobby; tables' => 'bar' },
);
is_same_sql_bind (
$sql, \@bind,
'SELECT "bar" FROM "foo" WHERE ( "bobby; tables" = ? )',
[ 'bar' ],
'Correct sql with quotes on'
);
for ($sqla, $sqla_q) {
throws_ok( sub {
$_->select(
'foo',
[ 'bar' ],
{ x => { 'bobby; tables' => 'y' } },
);
}, qr/Possible SQL injection attempt/, 'Injection thwarted on top level op');
throws_ok( sub {
$_->select(
'foo',
[ 'bar' ],
{ x => { '<' => { "-go\ndo some harm" => 'y' } } },
);
}, qr/Possible SQL injection attempt/, 'Injection thwarted on chained functions');
}
done_testing;
|
