File tree 1 file changed +30
-0
lines changed
1 file changed +30
-0
lines changed Original file line number Diff line number Diff line change @@ -1547,3 +1547,33 @@ func TestCustomDial(t *testing.T) {
15471547 t .Fatalf ("Connection failed: %s" , err .Error ())
15481548 }
15491549}
1550+
1551+ func TestSqlInjection (t * testing.T ) {
1552+ createTest := func (arg string ) func (dbt * DBTest ) {
1553+ return func (dbt * DBTest ) {
1554+ dbt .mustExec ("CREATE TABLE test (v INTEGER)" )
1555+ dbt .mustExec ("INSERT INTO test VALUES (?)" , 1 )
1556+
1557+ var v int
1558+ // NULL can't be equal to anything, the idea here is to inject query so it returns row
1559+ // This test verifies that EscapeQuotes and EscapeStrings are working properly
1560+ err := dbt .db .QueryRow ("SELECT v FROM test WHERE NULL = ?" , arg ).Scan (& v )
1561+ if err == sql .ErrNoRows {
1562+ return // success, sql injection failed
1563+ } else if err == nil {
1564+ dbt .Errorf ("Sql injection successful with arg: %s" , arg )
1565+ } else {
1566+ dbt .Errorf ("Error running query with arg: %s; err: %s" , err .Error ())
1567+ }
1568+ }
1569+ }
1570+
1571+ dsns := []string {
1572+ dsn ,
1573+ dsn + "&sql_mode=NO_BACKSLASH_ESCAPES" ,
1574+ }
1575+ for _ , testdsn := range dsns {
1576+ runTests (t , testdsn , createTest ("1 OR 1=1" ))
1577+ runTests (t , testdsn , createTest ("' OR '1'='1" ))
1578+ }
1579+ }
You can’t perform that action at this time.
0 commit comments