MCPcopy
hub / github.com/go-sql-driver/mysql / TestSQLInjection

Function TestSQLInjection

driver_test.go:2101–2129  ·  view source on GitHub ↗
(t *testing.T)

Source from the content-addressed store, hash-verified

2099}
2100
2101func TestSQLInjection(t *testing.T) {
2102 createTest := func(arg string) func(dbt *DBTest) {
2103 return func(dbt *DBTest) {
2104 dbt.mustExec("CREATE TABLE test (v INTEGER)")
2105 dbt.mustExec("INSERT INTO test VALUES (?)", 1)
2106
2107 var v int
2108 // NULL can't be equal to anything, the idea here is to inject query so it returns row
2109 // This test verifies that escapeQuotes and escapeBackslash are working properly
2110 err := dbt.db.QueryRow("SELECT v FROM test WHERE NULL = ?", arg).Scan(&v)
2111 if err == sql.ErrNoRows {
2112 return // success, sql injection failed
2113 } else if err == nil {
2114 dbt.Errorf("sql injection successful with arg: %s", arg)
2115 } else {
2116 dbt.Errorf("error running query with arg: %s; err: %s", arg, err.Error())
2117 }
2118 }
2119 }
2120
2121 dsns := []string{
2122 dsn,
2123 dsn + "&sql_mode='NO_BACKSLASH_ESCAPES'",
2124 }
2125 for _, testdsn := range dsns {
2126 runTests(t, testdsn, createTest("1 OR 1=1"))
2127 runTests(t, testdsn, createTest("' OR '1'='1"))
2128 }
2129}
2130
2131// Test if inserted data is correctly retrieved after being escaped
2132func TestInsertRetrieveEscapedData(t *testing.T) {

Callers

nothing calls this directly

Calls 4

runTestsFunction · 0.85
mustExecMethod · 0.80
ScanMethod · 0.80
ErrorMethod · 0.45

Tested by

no test coverage detected