function SelectTest::testVulnerableComment

Same name and namespace in other branches
  1. 9 core/tests/Drupal/KernelTests/Core/Database/SelectTest.php \Drupal\KernelTests\Core\Database\SelectTest::testVulnerableComment()
  2. 8.9.x core/tests/Drupal/KernelTests/Core/Database/SelectTest.php \Drupal\KernelTests\Core\Database\SelectTest::testVulnerableComment()
  3. 11.x core/tests/Drupal/KernelTests/Core/Database/SelectTest.php \Drupal\KernelTests\Core\Database\SelectTest::testVulnerableComment()

Tests query COMMENT system against vulnerabilities.

File

core/tests/Drupal/KernelTests/Core/Database/SelectTest.php, line 52

Class

SelectTest
Tests the Select query builder.

Namespace

Drupal\KernelTests\Core\Database

Code

public function testVulnerableComment() : void {
  $query = $this->connection
    ->select('test')
    ->comment('Testing query comments */ SELECT nid FROM {node}; --');
  $query->addField('test', 'name');
  $query->addField('test', 'age', 'age');
  $result = $query->execute();
  $records = $result->fetchAll();
  $query = (string) $query;
  $expected = "/* Testing query comments  * / SELECT nid FROM {node}. -- */";
  // Check the returned number of rows.
  $this->assertCount(4, $records);
  // Check that the flattened query contains the sanitized comment string.
  $this->assertStringContainsString($expected, $query);
  $connection = Database::getConnection();
  foreach ($this->makeCommentsProvider() as $test_set) {
    [
      $expected,
      $comments,
    ] = $test_set;
    $this->assertEquals($expected, $connection->makeComment($comments));
  }
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.