forked from JamesStewy/go-mysqldump
-
Notifications
You must be signed in to change notification settings - Fork 24
/
sanitize_test.go
25 lines (22 loc) · 769 Bytes
/
sanitize_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
package mysqldump
import (
"fmt"
"testing"
)
func TestForSQLInjection(t *testing.T) {
examples := [][]string{
/** Query ** Input ** Expected **/
{"SELECT * WHERE field = '%s';", "test", "SELECT * WHERE field = 'test';"},
{"'%s'", "'; DROP TABLES `test`;", "'\\'; DROP TABLES `test`;'"},
{"'%s'", "'+(SELECT name FROM users LIMIT 1)+'", "'\\'+(SELECT name FROM users LIMIT 1)+\\''"},
{"SELECT '%s'", "\x00x633A5C626F6F742E696E69", "SELECT '\\0x633A5C626F6F742E696E69'"},
{"WHERE PASSWORD('%s')", "') OR 1=1--", "WHERE PASSWORD('\\') OR 1=1--')"},
}
var query string
for _, example := range examples {
query = fmt.Sprintf(example[0], sanitize(example[1]))
if example[2] != query {
t.Fatalf("expected %#v, got %#v", example[2], query)
}
}
}