| 2099 | } |
| 2100 | |
| 2101 | func TestSQLInjection(t *testing.T) { |
| 2102 | createTest := func(arg string) func(dbt *DBTest) { |
| 2103 | return func(dbt *DBTest) { |
| 2104 | dbt.mustExec("CREATE TABLE test (v INTEGER)") |
| 2105 | dbt.mustExec("INSERT INTO test VALUES (?)", 1) |
| 2106 | |
| 2107 | var v int |
| 2108 | // NULL can't be equal to anything, the idea here is to inject query so it returns row |
| 2109 | // This test verifies that escapeQuotes and escapeBackslash are working properly |
| 2110 | err := dbt.db.QueryRow("SELECT v FROM test WHERE NULL = ?", arg).Scan(&v) |
| 2111 | if err == sql.ErrNoRows { |
| 2112 | return // success, sql injection failed |
| 2113 | } else if err == nil { |
| 2114 | dbt.Errorf("sql injection successful with arg: %s", arg) |
| 2115 | } else { |
| 2116 | dbt.Errorf("error running query with arg: %s; err: %s", arg, err.Error()) |
| 2117 | } |
| 2118 | } |
| 2119 | } |
| 2120 | |
| 2121 | dsns := []string{ |
| 2122 | dsn, |
| 2123 | dsn + "&sql_mode='NO_BACKSLASH_ESCAPES'", |
| 2124 | } |
| 2125 | for _, testdsn := range dsns { |
| 2126 | runTests(t, testdsn, createTest("1 OR 1=1")) |
| 2127 | runTests(t, testdsn, createTest("' OR '1'='1")) |
| 2128 | } |
| 2129 | } |
| 2130 | |
| 2131 | // Test if inserted data is correctly retrieved after being escaped |
| 2132 | func TestInsertRetrieveEscapedData(t *testing.T) { |