|
15 | 15 | use CodeIgniter\Database\RawSql; |
16 | 16 | use CodeIgniter\Test\CIUnitTestCase; |
17 | 17 | use CodeIgniter\Test\Mock\MockConnection; |
| 18 | +use DateTime; |
| 19 | +use Error; |
| 20 | +use ErrorException; |
18 | 21 | use stdClass; |
19 | 22 |
|
20 | 23 | /** |
@@ -460,4 +463,144 @@ public function testWhereWithLower() |
460 | 463 | $expectedSQL = 'SELECT * FROM "jobs" WHERE LOWER(jobs.name) = \'accountant\''; |
461 | 464 | $this->assertSame($expectedSQL, str_replace("\n", ' ', $builder->getCompiledSelect())); |
462 | 465 | } |
| 466 | + |
| 467 | + public function testWhereValueIsString() |
| 468 | + { |
| 469 | + $builder = $this->db->table('users'); |
| 470 | + |
| 471 | + $builder->where('id', '1'); |
| 472 | + |
| 473 | + $expectedSQL = <<<'SQL' |
| 474 | + SELECT * FROM "users" WHERE "id" = '1' |
| 475 | + SQL; |
| 476 | + $this->assertSame($expectedSQL, str_replace("\n", ' ', $builder->getCompiledSelect())); |
| 477 | + } |
| 478 | + |
| 479 | + public function testWhereValueIsFloat() |
| 480 | + { |
| 481 | + $builder = $this->db->table('users'); |
| 482 | + |
| 483 | + $builder->where('id', 1.234); |
| 484 | + |
| 485 | + $expectedSQL = <<<'SQL' |
| 486 | + SELECT * FROM "users" WHERE "id" = 1.234 |
| 487 | + SQL; |
| 488 | + $this->assertSame($expectedSQL, str_replace("\n", ' ', $builder->getCompiledSelect())); |
| 489 | + } |
| 490 | + |
| 491 | + /** |
| 492 | + * The current behavior assumes MySQL. |
| 493 | + * Other databases may not work well, so we may want to change the behavior |
| 494 | + * to match the specifications of the database driver. |
| 495 | + */ |
| 496 | + public function testWhereValueIsTrue() |
| 497 | + { |
| 498 | + $builder = $this->db->table('users'); |
| 499 | + |
| 500 | + $builder->where('id', true); |
| 501 | + |
| 502 | + $expectedSQL = 'SELECT * FROM "users" WHERE "id" = 1'; |
| 503 | + $this->assertSame($expectedSQL, str_replace("\n", ' ', $builder->getCompiledSelect())); |
| 504 | + } |
| 505 | + |
| 506 | + /** |
| 507 | + * The current behavior assumes MySQL. |
| 508 | + * Other databases may not work well, so we may want to change the behavior |
| 509 | + * to match the specifications of the database driver. |
| 510 | + */ |
| 511 | + public function testWhereValueIsFalse() |
| 512 | + { |
| 513 | + $builder = $this->db->table('users'); |
| 514 | + |
| 515 | + $builder->where('id', false); |
| 516 | + |
| 517 | + $expectedSQL = 'SELECT * FROM "users" WHERE "id" = 0'; |
| 518 | + $this->assertSame($expectedSQL, str_replace("\n", ' ', $builder->getCompiledSelect())); |
| 519 | + } |
| 520 | + |
| 521 | + /** |
| 522 | + * Check if SQL injection is not possible when unexpected values are passed |
| 523 | + */ |
| 524 | + public function testWhereValueIsArray() |
| 525 | + { |
| 526 | + $builder = $this->db->table('users'); |
| 527 | + |
| 528 | + $builder->where('id', ['a', 'b']); |
| 529 | + |
| 530 | + // SQL syntax error |
| 531 | + $expectedSQL = <<<'SQL' |
| 532 | + SELECT * FROM "users" WHERE "id" = ('a','b') |
| 533 | + SQL; |
| 534 | + $this->assertSame($expectedSQL, str_replace("\n", ' ', $builder->getCompiledSelect())); |
| 535 | + } |
| 536 | + |
| 537 | + /** |
| 538 | + * Check if SQL injection is not possible when unexpected values are passed |
| 539 | + */ |
| 540 | + public function testWhereValueIsArrayOfArray() |
| 541 | + { |
| 542 | + $this->expectException(ErrorException::class); |
| 543 | + $this->expectExceptionMessage('Array to string conversion'); |
| 544 | + |
| 545 | + $builder = $this->db->table('users'); |
| 546 | + |
| 547 | + $builder->where('id', [['a', 'b'], ['c', 'd']]); |
| 548 | + |
| 549 | + $builder->getCompiledSelect(); |
| 550 | + } |
| 551 | + |
| 552 | + /** |
| 553 | + * Check if SQL injection is not possible when unexpected values are passed |
| 554 | + */ |
| 555 | + public function testWhereValueIsArrayOfObject() |
| 556 | + { |
| 557 | + $this->expectException(Error::class); |
| 558 | + $this->expectExceptionMessage('Object of class stdClass could not be converted to string'); |
| 559 | + |
| 560 | + $builder = $this->db->table('users'); |
| 561 | + |
| 562 | + $builder->where('id', [(object) ['a' => 'b'], (object) ['c' => 'd']]); |
| 563 | + |
| 564 | + $builder->getCompiledSelect(); |
| 565 | + } |
| 566 | + |
| 567 | + public function testWhereValueIsNull() |
| 568 | + { |
| 569 | + $builder = $this->db->table('users'); |
| 570 | + |
| 571 | + $builder->where('id', null); |
| 572 | + |
| 573 | + $expectedSQL = 'SELECT * FROM "users" WHERE "id" IS NULL'; |
| 574 | + $this->assertSame($expectedSQL, str_replace("\n", ' ', $builder->getCompiledSelect())); |
| 575 | + } |
| 576 | + |
| 577 | + /** |
| 578 | + * Check if SQL injection is not possible when unexpected values are passed |
| 579 | + */ |
| 580 | + public function testWhereValueIsStdClass() |
| 581 | + { |
| 582 | + $this->expectException(Error::class); |
| 583 | + $this->expectExceptionMessage('Object of class stdClass could not be converted to string'); |
| 584 | + |
| 585 | + $builder = $this->db->table('users'); |
| 586 | + |
| 587 | + $builder->where('id', (object) ['a' => 'b']); |
| 588 | + |
| 589 | + $builder->getCompiledSelect(); |
| 590 | + } |
| 591 | + |
| 592 | + /** |
| 593 | + * Check if SQL injection is not possible when unexpected values are passed |
| 594 | + */ |
| 595 | + public function testWhereValueIsDateTime() |
| 596 | + { |
| 597 | + $this->expectException(Error::class); |
| 598 | + $this->expectExceptionMessage('Object of class DateTime could not be converted to string'); |
| 599 | + |
| 600 | + $builder = $this->db->table('users'); |
| 601 | + |
| 602 | + $builder->where('id', new DateTime('2022-02-19 12:00')); |
| 603 | + |
| 604 | + $builder->getCompiledSelect(); |
| 605 | + } |
463 | 606 | } |
0 commit comments