_acs-tcl__db_quoting (private)
_acs-tcl__db_quoting
Defined in packages/acs-tcl/tcl/test/db-proc-test-procs.tcl
- Partial Call Graph (max 5 caller/called nodes):
- Testcases:
- No testcase defined.
Source code: set _aa_export {} set body_count 1 foreach testcase_body {{ # # Checking base essentials: PostgreSQL does not allow embedded # NUL character. # set data "a\x00b" aa_true "Attempting to sneak-in invalid data via bind values [ns_urlencode $data]" [catch { db_string via_bindvar {select :data from dual} }] aa_true "Attempting to sneak-in invalid data via quoted value data [ns_urlencode $data]" [catch { db_string via_dbquote [subst {select [ns_dbquotevalue $data] from dual}] }] # # The following checks do not introduce anything new, but come # from real-world intrusion detection ... although the tests # look silly to me, since PostgreSQL ignores everything after # the NUL character. # set strings { "I contain the null \u0000character" "\u0000" "\u0000',(select 1 from dual)" "\u0000'',(select 1 from dual)" "\u0000''',(select 1 from dual)" "\u0000''',(select 1 from dual)'" } foreach data $strings { set error_p [catch { db_string q {select :data from dual} } errmsg] aa_true "Quoting the test data should fail: $errmsg" $error_p } }} { aa_log "Running testcase body $body_count" set ::__aa_test_indent [info level] set catch_val [catch $testcase_body msg] if {$catch_val != 0 && $catch_val != 2} { aa_log_result "fail" "db_quoting (body $body_count): Error during execution: $msg, stack trace: \n$::errorInfo" } incr body_count }XQL Not present: Generic, PostgreSQL, Oracle