Added SQL injection protection for Mysqli and several test cases

author: Ben Fuhrmannek 2014-06-24 16:56:21 +0200
committer: Ben Fuhrmannek 2014-06-24 16:56:21 +0200
commit: 93721fdd94f90d48b290749398a26cef277ad129 (patch)
tree: 16d6f2bbe8ad8e5313b6bb07b18b182aee00b806 /tests/sql
parent: f3efcde454d85cdf4b6ddafa05afe99cea5cfd78 (diff)
15 files changed, 346 insertions, 0 deletions
diff --git a/tests/sql/connect.inc b/tests/sql/connect.inc
new file mode 100644
index 0000000..367d63d
--- /dev/null
+++ b/tests/sql/connect.inc
@@ -0,0 +1,14 @@
+<?php
+        $host      = getenv("MYSQL_TEST_HOST")     ? getenv("MYSQL_TEST_HOST") : "localhost";
+        $port      = getenv("MYSQL_TEST_PORT")     ? getenv("MYSQL_TEST_PORT") : 3306;
+        $user      = getenv("MYSQL_TEST_USER")     ? getenv("MYSQL_TEST_USER") : "root";
+        $passwd    = getenv("MYSQL_TEST_PASSWD")   ? getenv("MYSQL_TEST_PASSWD") : "";
+        $db        = getenv("MYSQL_TEST_DB")       ? getenv("MYSQL_TEST_DB") : "test";
+        $socket    = getenv("MYSQL_TEST_SOCKET")   ? getenv("MYSQL_TEST_SOCKET") : null;
+        function connect_mysqli_oostyle() {
+                global $host, $port, $user, $passwd, $db, $socket;
+                return new mysqli($host, $user, $passwd, $db, $port, $socket);
+        }
+?>
+\ No newline at end of file
diff --git a/tests/sql/mysqli_comment_conditional.phpt b/tests/sql/mysqli_comment_conditional.phpt
new file mode 100644
index 0000000..0436c64
--- /dev/null
+++ b/tests/sql/mysqli_comment_conditional.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Mysqli query with SQL comment protection and MySQL condition (/*!...*/)
+--INI--
+extension=mysqli.so
+suhosin.sql.bailout_on_error=0
+suhosin.sql.comment=2
+suhosin.sql.opencomment=0
+suhosin.sql.multiselect=0
+suhosin.sql.union=0
+suhosin.log.stdout=32
+--SKIPIF--
+<?php
+include('skipifmysqli.inc');
+include('skipif.inc');
+?>
+--FILE--
+<?php
+include('connect.inc');
+$mysqli = connect_mysqli_oostyle();
+$result = $mysqli->query("SELECT 1 /*! ... */");
+flush();
+echo "mark.";
+?>
+--EXPECTF--
+mark.
+\ No newline at end of file
diff --git a/tests/sql/mysqli_comment_cstyle_fail.phpt b/tests/sql/mysqli_comment_cstyle_fail.phpt
new file mode 100644
index 0000000..56a8ccb
--- /dev/null
+++ b/tests/sql/mysqli_comment_cstyle_fail.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Mysqli query with SQL comment (/*...*/) protection set to fail
+--INI--
+extension=mysqli.so
+suhosin.sql.bailout_on_error=0
+suhosin.sql.comment=2
+suhosin.sql.opencomment=0
+suhosin.sql.multiselect=0
+suhosin.sql.union=0
+suhosin.log.stdout=32
+--SKIPIF--
+<?php
+include('skipifmysqli.inc');
+include('skipif.inc');
+?>
+--FILE--
+<?php
+include('connect.inc');
+$mysqli = connect_mysqli_oostyle();
+$result = $mysqli->query("SELECT 1 /* injection */");
+flush();
+echo "mark.";
+?>
+--EXPECTREGEX--
+ALERT - Comment in SQL query.*\)
+\ No newline at end of file
diff --git a/tests/sql/mysqli_comment_hashstyle_fail.phpt b/tests/sql/mysqli_comment_hashstyle_fail.phpt
new file mode 100644
index 0000000..6f5b517
--- /dev/null
+++ b/tests/sql/mysqli_comment_hashstyle_fail.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Mysqli query with SQL comment (#) protection set to fail
+--INI--
+extension=mysqli.so
+suhosin.sql.bailout_on_error=0
+suhosin.sql.comment=2
+suhosin.sql.opencomment=0
+suhosin.sql.multiselect=0
+suhosin.sql.union=0
+suhosin.log.stdout=32
+--SKIPIF--
+<?php
+include('skipifmysqli.inc');
+include('skipif.inc');
+?>
+--FILE--
+<?php
+include('connect.inc');
+$mysqli = connect_mysqli_oostyle();
+$result = $mysqli->query("SELECT 1 # injection");
+flush();
+echo "mark.";
+?>
+--EXPECTREGEX--
+ALERT - Comment in SQL query.*\)
+\ No newline at end of file
diff --git a/tests/sql/mysqli_comment_sqlstyle.phpt b/tests/sql/mysqli_comment_sqlstyle.phpt
new file mode 100644
index 0000000..c32c76a
--- /dev/null
+++ b/tests/sql/mysqli_comment_sqlstyle.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Mysqli query with SQL comment (--) protection
+--INI--
+extension=mysqli.so
+suhosin.sql.bailout_on_error=0
+suhosin.sql.comment=1
+suhosin.sql.opencomment=0
+suhosin.sql.multiselect=0
+suhosin.sql.union=0
+suhosin.log.stdout=32
+--SKIPIF--
+<?php
+include('skipifmysqli.inc');
+include('skipif.inc');
+?>
+--FILE--
+<?php
+include('connect.inc');
+$mysqli = connect_mysqli_oostyle();
+$result = $mysqli->query("SELECT 1 -- injection");
+flush();
+echo "mark.";
+?>
+--EXPECTREGEX--
+ALERT - Comment in SQL query.*mark.
+\ No newline at end of file
diff --git a/tests/sql/mysqli_comment_sqlstyle_fail.phpt b/tests/sql/mysqli_comment_sqlstyle_fail.phpt
new file mode 100644
index 0000000..83e63c5
--- /dev/null
+++ b/tests/sql/mysqli_comment_sqlstyle_fail.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Mysqli query with SQL comment (--) protection set to fail
+--INI--
+extension=mysqli.so
+suhosin.sql.bailout_on_error=0
+suhosin.sql.comment=2
+suhosin.sql.opencomment=0
+suhosin.sql.multiselect=0
+suhosin.sql.union=0
+suhosin.log.stdout=32
+--SKIPIF--
+<?php
+include('skipifmysqli.inc');
+include('skipif.inc');
+?>
+--FILE--
+<?php
+include('connect.inc');
+$mysqli = connect_mysqli_oostyle();
+$result = $mysqli->query("SELECT 1 -- injection");
+flush();
+echo "mark.";
+?>
+--EXPECTREGEX--
+ALERT - Comment in SQL query.*\)
+\ No newline at end of file
diff --git a/tests/sql/mysqli_multiselect.phpt b/tests/sql/mysqli_multiselect.phpt
new file mode 100644
index 0000000..63d6c19
--- /dev/null
+++ b/tests/sql/mysqli_multiselect.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Mysqli query with multiple SELECT statements
+--INI--
+extension=mysqli.so
+suhosin.sql.bailout_on_error=0
+suhosin.sql.comment=0
+suhosin.sql.opencomment=0
+suhosin.sql.multiselect=1
+suhosin.sql.union=0
+suhosin.log.stdout=32
+--SKIPIF--
+<?php
+include('skipifmysqli.inc');
+include('skipif.inc');
+?>
+--FILE--
+<?php
+include('connect.inc');
+$mysqli = connect_mysqli_oostyle();
+$result = $mysqli->query("SELECT 1; SELECT 2");
+flush();
+echo "mark.";
+?>
+--EXPECTREGEX--
+ALERT - Multiple SELECT in SQL query.*mark.
+\ No newline at end of file
diff --git a/tests/sql/mysqli_multiselect_fail.phpt b/tests/sql/mysqli_multiselect_fail.phpt
new file mode 100644
index 0000000..2bee62a
--- /dev/null
+++ b/tests/sql/mysqli_multiselect_fail.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Mysqli query with multiple SELECT statements set to fail
+--INI--
+extension=mysqli.so
+suhosin.sql.bailout_on_error=0
+suhosin.sql.comment=0
+suhosin.sql.opencomment=0
+suhosin.sql.multiselect=2
+suhosin.sql.union=0
+suhosin.log.stdout=32
+--SKIPIF--
+<?php
+include('skipifmysqli.inc');
+include('skipif.inc');
+?>
+--FILE--
+<?php
+include('connect.inc');
+$mysqli = connect_mysqli_oostyle();
+$result = $mysqli->query("SELECT 1; SELECT 2");
+flush();
+echo "mark.";
+?>
+--EXPECTREGEX--
+ALERT - Multiple SELECT in SQL query.*\)
+\ No newline at end of file
diff --git a/tests/sql/mysqli_multiselect_subselect.phpt b/tests/sql/mysqli_multiselect_subselect.phpt
new file mode 100644
index 0000000..e629720
--- /dev/null
+++ b/tests/sql/mysqli_multiselect_subselect.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Mysqli query with sub-SELECT
+--INI--
+extension=mysqli.so
+suhosin.sql.bailout_on_error=0
+suhosin.sql.comment=0
+suhosin.sql.opencomment=0
+suhosin.sql.multiselect=1
+suhosin.sql.union=0
+suhosin.log.stdout=32
+--SKIPIF--
+<?php
+include('skipifmysqli.inc');
+include('skipif.inc');
+?>
+--FILE--
+<?php
+include('connect.inc');
+$mysqli = connect_mysqli_oostyle();
+$result = $mysqli->query("SELECT * FROM (SELECT 1)");
+flush();
+echo "mark.";
+?>
+--EXPECTREGEX--
+ALERT - Multiple SELECT in SQL query.*mark.
+\ No newline at end of file
diff --git a/tests/sql/mysqli_no_constraints.phpt b/tests/sql/mysqli_no_constraints.phpt
new file mode 100644
index 0000000..1d7fff6
--- /dev/null
+++ b/tests/sql/mysqli_no_constraints.phpt
@@ -0,0 +1,26 @@
+--TEST--
+Mysqli connection test without any constraints
+--INI--
+extension=mysqli.so
+suhosin.sql.comment=0
+suhosin.sql.bailout_on_error=0
+suhosin.sql.comment=0
+suhosin.sql.opencomment=0
+suhosin.sql.multiselect=0
+suhosin.sql.union=0
+--SKIPIF--
+<?php
+include('skipifmysqli.inc');
+include('skipif.inc');
+?>
+--FILE--
+<?php
+include('connect.inc');
+$mysqli = connect_mysqli_oostyle();
+$result = $mysqli->query("SELECT 1 AS A UNION SELECT 2 -- injection");
+$rows = $result->fetch_all();
+if ($rows !== null && count($rows) == 2) { echo "ok"; }
+?>
+--EXPECTF--
+ok
+\ No newline at end of file
diff --git a/tests/sql/mysqli_open_comment.phpt b/tests/sql/mysqli_open_comment.phpt
new file mode 100644
index 0000000..29d3536
--- /dev/null
+++ b/tests/sql/mysqli_open_comment.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Mysqli query with SQL open comment protection (/*...)
+--INI--
+extension=mysqli.so
+suhosin.sql.bailout_on_error=0
+suhosin.sql.comment=0
+suhosin.sql.opencomment=1
+suhosin.sql.multiselect=0
+suhosin.sql.union=0
+suhosin.log.stdout=32
+--SKIPIF--
+<?php
+include('skipifmysqli.inc');
+include('skipif.inc');
+?>
+--FILE--
+<?php
+include('connect.inc');
+$mysqli = connect_mysqli_oostyle();
+$result = $mysqli->query("SELECT 1 /*");
+flush();
+echo "mark.";
+?>
+--EXPECTREGEX--
+ALERT - Open comment in SQL query.*mark.
+\ No newline at end of file
diff --git a/tests/sql/mysqli_open_comment_fail.phpt b/tests/sql/mysqli_open_comment_fail.phpt
new file mode 100644
index 0000000..4645523
--- /dev/null
+++ b/tests/sql/mysqli_open_comment_fail.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Mysqli query with SQL open comment protection (/*...) set to fail
+--INI--
+extension=mysqli.so
+suhosin.sql.bailout_on_error=0
+suhosin.sql.comment=0
+suhosin.sql.opencomment=2
+suhosin.sql.multiselect=0
+suhosin.sql.union=0
+suhosin.log.stdout=32
+--SKIPIF--
+<?php
+include('skipifmysqli.inc');
+include('skipif.inc');
+?>
+--FILE--
+<?php
+include('connect.inc');
+$mysqli = connect_mysqli_oostyle();
+$result = $mysqli->query("SELECT 1 /*");
+flush();
+echo "mark.";
+?>
+--EXPECTREGEX--
+ALERT - Open comment in SQL query.*\)
+\ No newline at end of file
diff --git a/tests/sql/mysqli_union.phpt b/tests/sql/mysqli_union.phpt
new file mode 100644
index 0000000..9af9c61
--- /dev/null
+++ b/tests/sql/mysqli_union.phpt
@@ -0,0 +1,26 @@
+--TEST--
+Mysqli query with UNION protection
+--INI--
+extension=mysqli.so
+suhosin.sql.bailout_on_error=0
+suhosin.sql.comment=0
+suhosin.sql.opencomment=0
+suhosin.sql.multiselect=0
+suhosin.sql.union=1
+suhosin.log.stdout=32
+--SKIPIF--
+<?php
+include('skipifmysqli.inc');
+include('skipif.inc');
+?>
+--FILE--
+<?php
+include('connect.inc');
+$mysqli = connect_mysqli_oostyle();
+$result = $mysqli->query("SELECT 1 UNION SELECT 2");
+flush();
+echo "mark.";
+?>
+--EXPECTREGEX--
+ALERT - UNION in SQL query.*mark.
+\ No newline at end of file
diff --git a/tests/sql/mysqli_union_fail.phpt b/tests/sql/mysqli_union_fail.phpt
new file mode 100644
index 0000000..ee51a79
--- /dev/null
+++ b/tests/sql/mysqli_union_fail.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Mysqli query with UNION protection set to fail
+--INI--
+extension=mysqli.so
+suhosin.sql.bailout_on_error=0
+suhosin.sql.comment=0
+suhosin.sql.opencomment=0
+suhosin.sql.multiselect=0
+suhosin.sql.union=2
+suhosin.log.stdout=32
+--SKIPIF--
+<?php
+include('skipifmysqli.inc');
+include('skipif.inc');
+?>
+--FILE--
+<?php
+include('connect.inc');
+$mysqli = connect_mysqli_oostyle();
+$result = $mysqli->query("SELECT 1 UNION SELECT 2");
+echo "mark.";
+?>
+--EXPECTREGEX--
+ALERT - UNION in SQL query.*\)
+\ No newline at end of file
diff --git a/tests/sql/skipifmysqli.inc b/tests/sql/skipifmysqli.inc
new file mode 100644
index 0000000..ee16cf1
--- /dev/null
+++ b/tests/sql/skipifmysqli.inc
@@ -0,0 +1,5 @@
+<?php
+if (!extension_loaded("mysqli")) {
+        die('skip - mysqli extension not available');
+}
+?>
+\ No newline at end of file
author	Ben Fuhrmannek	2014-06-24 16:56:21 +0200
committer	Ben Fuhrmannek	2014-06-24 16:56:21 +0200
commit	93721fdd94f90d48b290749398a26cef277ad129 (patch)
tree	16d6f2bbe8ad8e5313b6bb07b18b182aee00b806 /tests/sql
parent	f3efcde454d85cdf4b6ddafa05afe99cea5cfd78 (diff)

diff --git a/tests/sql/connect.inc b/tests/sql/connect.inc new file mode 100644 index 0000000..367d63d --- /dev/null +++ b/tests/sql/connect.inc
@@ -0,0 +1,14 @@
	1	<?php
	2
	3	$host = getenv("MYSQL_TEST_HOST") ? getenv("MYSQL_TEST_HOST") : "localhost";
	4	$port = getenv("MYSQL_TEST_PORT") ? getenv("MYSQL_TEST_PORT") : 3306;
	5	$user = getenv("MYSQL_TEST_USER") ? getenv("MYSQL_TEST_USER") : "root";
	6	$passwd = getenv("MYSQL_TEST_PASSWD") ? getenv("MYSQL_TEST_PASSWD") : "";
	7	$db = getenv("MYSQL_TEST_DB") ? getenv("MYSQL_TEST_DB") : "test";
	8	$socket = getenv("MYSQL_TEST_SOCKET") ? getenv("MYSQL_TEST_SOCKET") : null;
	9
	10	function connect_mysqli_oostyle() {
	11	global $host, $port, $user, $passwd, $db, $socket;
	12	return new mysqli($host, $user, $passwd, $db, $port, $socket);
	13	}
	14	?> \ No newline at end of file


diff --git a/tests/sql/mysqli_comment_conditional.phpt b/tests/sql/mysqli_comment_conditional.phpt new file mode 100644 index 0000000..0436c64 --- /dev/null +++ b/tests/sql/mysqli_comment_conditional.phpt
@@ -0,0 +1,25 @@
	1	--TEST--
	2	Mysqli query with SQL comment protection and MySQL condition (/!.../)
	3	--INI--
	4	extension=mysqli.so
	5	suhosin.sql.bailout_on_error=0
	6	suhosin.sql.comment=2
	7	suhosin.sql.opencomment=0
	8	suhosin.sql.multiselect=0
	9	suhosin.sql.union=0
	10	suhosin.log.stdout=32
	11	--SKIPIF--
	12	<?php
	13	include('skipifmysqli.inc');
	14	include('skipif.inc');
	15	?>
	16	--FILE--
	17	<?php
	18	include('connect.inc');
	19	$mysqli = connect_mysqli_oostyle();
	20	$result = $mysqli->query("SELECT 1 /! ... /");
	21	flush();
	22	echo "mark.";
	23	?>
	24	--EXPECTF--
	25	mark. \ No newline at end of file


diff --git a/tests/sql/mysqli_comment_cstyle_fail.phpt b/tests/sql/mysqli_comment_cstyle_fail.phpt new file mode 100644 index 0000000..56a8ccb --- /dev/null +++ b/tests/sql/mysqli_comment_cstyle_fail.phpt
@@ -0,0 +1,25 @@
	1	--TEST--
	2	Mysqli query with SQL comment (/.../) protection set to fail
	3	--INI--
	4	extension=mysqli.so
	5	suhosin.sql.bailout_on_error=0
	6	suhosin.sql.comment=2
	7	suhosin.sql.opencomment=0
	8	suhosin.sql.multiselect=0
	9	suhosin.sql.union=0
	10	suhosin.log.stdout=32
	11	--SKIPIF--
	12	<?php
	13	include('skipifmysqli.inc');
	14	include('skipif.inc');
	15	?>
	16	--FILE--
	17	<?php
	18	include('connect.inc');
	19	$mysqli = connect_mysqli_oostyle();
	20	$result = $mysqli->query("SELECT 1 /* injection */");
	21	flush();
	22	echo "mark.";
	23	?>
	24	--EXPECTREGEX--
	25	ALERT - Comment in SQL query.*\) \ No newline at end of file


diff --git a/tests/sql/mysqli_comment_hashstyle_fail.phpt b/tests/sql/mysqli_comment_hashstyle_fail.phpt new file mode 100644 index 0000000..6f5b517 --- /dev/null +++ b/tests/sql/mysqli_comment_hashstyle_fail.phpt
@@ -0,0 +1,25 @@
	1	--TEST--
	2	Mysqli query with SQL comment (#) protection set to fail
	3	--INI--
	4	extension=mysqli.so
	5	suhosin.sql.bailout_on_error=0
	6	suhosin.sql.comment=2
	7	suhosin.sql.opencomment=0
	8	suhosin.sql.multiselect=0
	9	suhosin.sql.union=0
	10	suhosin.log.stdout=32
	11	--SKIPIF--
	12	<?php
	13	include('skipifmysqli.inc');
	14	include('skipif.inc');
	15	?>
	16	--FILE--
	17	<?php
	18	include('connect.inc');
	19	$mysqli = connect_mysqli_oostyle();
	20	$result = $mysqli->query("SELECT 1 # injection");
	21	flush();
	22	echo "mark.";
	23	?>
	24	--EXPECTREGEX--
	25	ALERT - Comment in SQL query.*\) \ No newline at end of file


diff --git a/tests/sql/mysqli_comment_sqlstyle.phpt b/tests/sql/mysqli_comment_sqlstyle.phpt new file mode 100644 index 0000000..c32c76a --- /dev/null +++ b/tests/sql/mysqli_comment_sqlstyle.phpt
@@ -0,0 +1,25 @@
	1	--TEST--
	2	Mysqli query with SQL comment (--) protection
	3	--INI--
	4	extension=mysqli.so
	5	suhosin.sql.bailout_on_error=0
	6	suhosin.sql.comment=1
	7	suhosin.sql.opencomment=0
	8	suhosin.sql.multiselect=0
	9	suhosin.sql.union=0
	10	suhosin.log.stdout=32
	11	--SKIPIF--
	12	<?php
	13	include('skipifmysqli.inc');
	14	include('skipif.inc');
	15	?>
	16	--FILE--
	17	<?php
	18	include('connect.inc');
	19	$mysqli = connect_mysqli_oostyle();
	20	$result = $mysqli->query("SELECT 1 -- injection");
	21	flush();
	22	echo "mark.";
	23	?>
	24	--EXPECTREGEX--
	25	ALERT - Comment in SQL query.*mark. \ No newline at end of file


diff --git a/tests/sql/mysqli_comment_sqlstyle_fail.phpt b/tests/sql/mysqli_comment_sqlstyle_fail.phpt new file mode 100644 index 0000000..83e63c5 --- /dev/null +++ b/tests/sql/mysqli_comment_sqlstyle_fail.phpt
@@ -0,0 +1,25 @@
	1	--TEST--
	2	Mysqli query with SQL comment (--) protection set to fail
	3	--INI--
	4	extension=mysqli.so
	5	suhosin.sql.bailout_on_error=0
	6	suhosin.sql.comment=2
	7	suhosin.sql.opencomment=0
	8	suhosin.sql.multiselect=0
	9	suhosin.sql.union=0
	10	suhosin.log.stdout=32
	11	--SKIPIF--
	12	<?php
	13	include('skipifmysqli.inc');
	14	include('skipif.inc');
	15	?>
	16	--FILE--
	17	<?php
	18	include('connect.inc');
	19	$mysqli = connect_mysqli_oostyle();
	20	$result = $mysqli->query("SELECT 1 -- injection");
	21	flush();
	22	echo "mark.";
	23	?>
	24	--EXPECTREGEX--
	25	ALERT - Comment in SQL query.*\) \ No newline at end of file


diff --git a/tests/sql/mysqli_multiselect.phpt b/tests/sql/mysqli_multiselect.phpt new file mode 100644 index 0000000..63d6c19 --- /dev/null +++ b/tests/sql/mysqli_multiselect.phpt
@@ -0,0 +1,25 @@
	1	--TEST--
	2	Mysqli query with multiple SELECT statements
	3	--INI--
	4	extension=mysqli.so
	5	suhosin.sql.bailout_on_error=0
	6	suhosin.sql.comment=0
	7	suhosin.sql.opencomment=0
	8	suhosin.sql.multiselect=1
	9	suhosin.sql.union=0
	10	suhosin.log.stdout=32
	11	--SKIPIF--
	12	<?php
	13	include('skipifmysqli.inc');
	14	include('skipif.inc');
	15	?>
	16	--FILE--
	17	<?php
	18	include('connect.inc');
	19	$mysqli = connect_mysqli_oostyle();
	20	$result = $mysqli->query("SELECT 1; SELECT 2");
	21	flush();
	22	echo "mark.";
	23	?>
	24	--EXPECTREGEX--
	25	ALERT - Multiple SELECT in SQL query.*mark. \ No newline at end of file


diff --git a/tests/sql/mysqli_multiselect_fail.phpt b/tests/sql/mysqli_multiselect_fail.phpt new file mode 100644 index 0000000..2bee62a --- /dev/null +++ b/tests/sql/mysqli_multiselect_fail.phpt
@@ -0,0 +1,25 @@
	1	--TEST--
	2	Mysqli query with multiple SELECT statements set to fail
	3	--INI--
	4	extension=mysqli.so
	5	suhosin.sql.bailout_on_error=0
	6	suhosin.sql.comment=0
	7	suhosin.sql.opencomment=0
	8	suhosin.sql.multiselect=2
	9	suhosin.sql.union=0
	10	suhosin.log.stdout=32
	11	--SKIPIF--
	12	<?php
	13	include('skipifmysqli.inc');
	14	include('skipif.inc');
	15	?>
	16	--FILE--
	17	<?php
	18	include('connect.inc');
	19	$mysqli = connect_mysqli_oostyle();
	20	$result = $mysqli->query("SELECT 1; SELECT 2");
	21	flush();
	22	echo "mark.";
	23	?>
	24	--EXPECTREGEX--
	25	ALERT - Multiple SELECT in SQL query.*\) \ No newline at end of file


diff --git a/tests/sql/mysqli_multiselect_subselect.phpt b/tests/sql/mysqli_multiselect_subselect.phpt new file mode 100644 index 0000000..e629720 --- /dev/null +++ b/tests/sql/mysqli_multiselect_subselect.phpt
@@ -0,0 +1,25 @@
	1	--TEST--
	2	Mysqli query with sub-SELECT
	3	--INI--
	4	extension=mysqli.so
	5	suhosin.sql.bailout_on_error=0
	6	suhosin.sql.comment=0
	7	suhosin.sql.opencomment=0
	8	suhosin.sql.multiselect=1
	9	suhosin.sql.union=0
	10	suhosin.log.stdout=32
	11	--SKIPIF--
	12	<?php
	13	include('skipifmysqli.inc');
	14	include('skipif.inc');
	15	?>
	16	--FILE--
	17	<?php
	18	include('connect.inc');
	19	$mysqli = connect_mysqli_oostyle();
	20	$result = $mysqli->query("SELECT * FROM (SELECT 1)");
	21	flush();
	22	echo "mark.";
	23	?>
	24	--EXPECTREGEX--
	25	ALERT - Multiple SELECT in SQL query.*mark. \ No newline at end of file


diff --git a/tests/sql/mysqli_no_constraints.phpt b/tests/sql/mysqli_no_constraints.phpt new file mode 100644 index 0000000..1d7fff6 --- /dev/null +++ b/tests/sql/mysqli_no_constraints.phpt
@@ -0,0 +1,26 @@
	1	--TEST--
	2	Mysqli connection test without any constraints
	3	--INI--
	4	extension=mysqli.so
	5	suhosin.sql.comment=0
	6	suhosin.sql.bailout_on_error=0
	7	suhosin.sql.comment=0
	8	suhosin.sql.opencomment=0
	9	suhosin.sql.multiselect=0
	10	suhosin.sql.union=0
	11	--SKIPIF--
	12	<?php
	13	include('skipifmysqli.inc');
	14	include('skipif.inc');
	15	?>
	16	--FILE--
	17	<?php
	18	include('connect.inc');
	19	$mysqli = connect_mysqli_oostyle();
	20	$result = $mysqli->query("SELECT 1 AS A UNION SELECT 2 -- injection");
	21	$rows = $result->fetch_all();
	22	if ($rows !== null && count($rows) == 2) { echo "ok"; }
	23
	24	?>
	25	--EXPECTF--
	26	ok \ No newline at end of file


diff --git a/tests/sql/mysqli_open_comment.phpt b/tests/sql/mysqli_open_comment.phpt new file mode 100644 index 0000000..29d3536 --- /dev/null +++ b/tests/sql/mysqli_open_comment.phpt
@@ -0,0 +1,25 @@
	1	--TEST--
	2	Mysqli query with SQL open comment protection (/*...)
	3	--INI--
	4	extension=mysqli.so
	5	suhosin.sql.bailout_on_error=0
	6	suhosin.sql.comment=0
	7	suhosin.sql.opencomment=1
	8	suhosin.sql.multiselect=0
	9	suhosin.sql.union=0
	10	suhosin.log.stdout=32
	11	--SKIPIF--
	12	<?php
	13	include('skipifmysqli.inc');
	14	include('skipif.inc');
	15	?>
	16	--FILE--
	17	<?php
	18	include('connect.inc');
	19	$mysqli = connect_mysqli_oostyle();
	20	$result = $mysqli->query("SELECT 1 /*");
	21	flush();
	22	echo "mark.";
	23	?>
	24	--EXPECTREGEX--
	25	ALERT - Open comment in SQL query.*mark. \ No newline at end of file


diff --git a/tests/sql/mysqli_open_comment_fail.phpt b/tests/sql/mysqli_open_comment_fail.phpt new file mode 100644 index 0000000..4645523 --- /dev/null +++ b/tests/sql/mysqli_open_comment_fail.phpt
@@ -0,0 +1,25 @@
	1	--TEST--
	2	Mysqli query with SQL open comment protection (/*...) set to fail
	3	--INI--
	4	extension=mysqli.so
	5	suhosin.sql.bailout_on_error=0
	6	suhosin.sql.comment=0
	7	suhosin.sql.opencomment=2
	8	suhosin.sql.multiselect=0
	9	suhosin.sql.union=0
	10	suhosin.log.stdout=32
	11	--SKIPIF--
	12	<?php
	13	include('skipifmysqli.inc');
	14	include('skipif.inc');
	15	?>
	16	--FILE--
	17	<?php
	18	include('connect.inc');
	19	$mysqli = connect_mysqli_oostyle();
	20	$result = $mysqli->query("SELECT 1 /*");
	21	flush();
	22	echo "mark.";
	23	?>
	24	--EXPECTREGEX--
	25	ALERT - Open comment in SQL query.*\) \ No newline at end of file


diff --git a/tests/sql/mysqli_union.phpt b/tests/sql/mysqli_union.phpt new file mode 100644 index 0000000..9af9c61 --- /dev/null +++ b/tests/sql/mysqli_union.phpt
@@ -0,0 +1,26 @@
	1	--TEST--
	2	Mysqli query with UNION protection
	3	--INI--
	4	extension=mysqli.so
	5	suhosin.sql.bailout_on_error=0
	6	suhosin.sql.comment=0
	7	suhosin.sql.opencomment=0
	8	suhosin.sql.multiselect=0
	9	suhosin.sql.union=1
	10	suhosin.log.stdout=32
	11	--SKIPIF--
	12	<?php
	13	include('skipifmysqli.inc');
	14	include('skipif.inc');
	15	?>
	16	--FILE--
	17	<?php
	18	include('connect.inc');
	19	$mysqli = connect_mysqli_oostyle();
	20	$result = $mysqli->query("SELECT 1 UNION SELECT 2");
	21	flush();
	22	echo "mark.";
	23
	24	?>
	25	--EXPECTREGEX--
	26	ALERT - UNION in SQL query.*mark. \ No newline at end of file


diff --git a/tests/sql/mysqli_union_fail.phpt b/tests/sql/mysqli_union_fail.phpt new file mode 100644 index 0000000..ee51a79 --- /dev/null +++ b/tests/sql/mysqli_union_fail.phpt
@@ -0,0 +1,25 @@
	1	--TEST--
	2	Mysqli query with UNION protection set to fail
	3	--INI--
	4	extension=mysqli.so
	5	suhosin.sql.bailout_on_error=0
	6	suhosin.sql.comment=0
	7	suhosin.sql.opencomment=0
	8	suhosin.sql.multiselect=0
	9	suhosin.sql.union=2
	10	suhosin.log.stdout=32
	11	--SKIPIF--
	12	<?php
	13	include('skipifmysqli.inc');
	14	include('skipif.inc');
	15	?>
	16	--FILE--
	17	<?php
	18	include('connect.inc');
	19	$mysqli = connect_mysqli_oostyle();
	20	$result = $mysqli->query("SELECT 1 UNION SELECT 2");
	21	echo "mark.";
	22
	23	?>
	24	--EXPECTREGEX--
	25	ALERT - UNION in SQL query.*\) \ No newline at end of file


diff --git a/tests/sql/skipifmysqli.inc b/tests/sql/skipifmysqli.inc new file mode 100644 index 0000000..ee16cf1 --- /dev/null +++ b/tests/sql/skipifmysqli.inc
@@ -0,0 +1,5 @@
	1	<?php
	2	if (!extension_loaded("mysqli")) {
	3	die('skip - mysqli extension not available');
	4	}
	5	?> \ No newline at end of file