Changeset 743 for branches/4.x


Ignore:
Timestamp:
Jan 14, 2016, 12:32:01 PM (4 years ago)
Author:
cito
Message:

Test error messages and security of the get() method

The get() method should be immune against SQL hacking with apostrophes in
values, and give a proper and helpful error message if a row is not found.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/4.x/tests/test_classic_dbwrapper.py

    r731 r743  
    724724        self.assertIn('v4', r)
    725725        self.assertEqual(r['v4'], 'abc4')
     726
     727    def testGetLittleBobbyTables(self):
     728        get = self.db.get
     729        query = self.db.query
     730        query("drop table if exists test_students")
     731        query("create table test_students (firstname varchar primary key,"
     732            " nickname varchar, grade char(2))")
     733        query("insert into test_students values ("
     734              "'D''Arcy', 'Darcey', 'A+')")
     735        query("insert into test_students values ("
     736              "'Sheldon', 'Moonpie', 'A+')")
     737        query("insert into test_students values ("
     738              "'Robert', 'Little Bobby Tables', 'D-')")
     739        r = get('test_students', 'Sheldon')
     740        self.assertEqual(r, dict(
     741            firstname="Sheldon", nickname='Moonpie', grade='A+'))
     742        r = get('test_students', 'Robert')
     743        self.assertEqual(r, dict(
     744            firstname="Robert", nickname='Little Bobby Tables', grade='D-'))
     745        r = get('test_students', "D'Arcy")
     746        self.assertEqual(r, dict(
     747            firstname="D'Arcy", nickname='Darcey', grade='A+'))
     748        try:
     749            get('test_students', "D' Arcy")
     750        except pg.DatabaseError as error:
     751            self.assertEqual(str(error),
     752                'No such record in public.test_students where firstname = '
     753                "'D'' Arcy'")
     754        try:
     755            get('test_students', "Robert'); TRUNCATE TABLE test_students;--")
     756        except pg.DatabaseError as error:
     757            self.assertEqual(str(error),
     758                'No such record in public.test_students where firstname = '
     759                "'Robert''); TRUNCATE TABLE test_students;--'")
     760        q = "select * from test_students order by 1 limit 4"
     761        r = query(q).getresult()
     762        self.assertEqual(len(r), 3)
     763        self.assertEqual(r[1][2], 'D-')
     764        query('drop table test_students')
    726765
    727766    def testInsert(self):
Note: See TracChangeset for help on using the changeset viewer.