summaryrefslogtreecommitdiff
path: root/tests
diff options
context:
space:
mode:
authorBen Fuhrmannek2014-07-14 13:07:38 +0200
committerBen Fuhrmannek2014-07-14 13:07:38 +0200
commit1dc59e48642c98e34320f1a31c120fbf290fd509 (patch)
tree5126791aac0c7655daa502a00a53d4c2257ced43 /tests
parent940509ed02db713920612b0994a57d6227c3655c (diff)
parentaafe0cf82f5fb7220ac6f674bbc1c2091a6a9c4d (diff)
Merge branch 'sql'
Diffstat (limited to 'tests')
-rw-r--r--tests/sql/connect.inc14
-rw-r--r--tests/sql/mysqli_comment_conditional.phpt25
-rw-r--r--tests/sql/mysqli_comment_cstyle_fail.phpt25
-rw-r--r--tests/sql/mysqli_comment_hashstyle_fail.phpt25
-rw-r--r--tests/sql/mysqli_comment_sqlstyle.phpt25
-rw-r--r--tests/sql/mysqli_comment_sqlstyle_fail.phpt25
-rw-r--r--tests/sql/mysqli_connect_invalid_username.phpt17
-rw-r--r--tests/sql/mysqli_multiselect.phpt25
-rw-r--r--tests/sql/mysqli_multiselect_fail.phpt25
-rw-r--r--tests/sql/mysqli_multiselect_subselect.phpt25
-rw-r--r--tests/sql/mysqli_no_constraints.phpt26
-rw-r--r--tests/sql/mysqli_open_comment.phpt25
-rw-r--r--tests/sql/mysqli_open_comment_fail.phpt25
-rw-r--r--tests/sql/mysqli_union.phpt26
-rw-r--r--tests/sql/mysqli_union_fail.phpt25
-rw-r--r--tests/sql/mysqli_user_match_error.phpt18
-rw-r--r--tests/sql/mysqli_user_match_ok.phpt18
-rw-r--r--tests/sql/mysqli_user_postfix.phpt18
-rw-r--r--tests/sql/mysqli_user_prefix.phpt18
-rw-r--r--tests/sql/skipifmysqli.inc5
20 files changed, 435 insertions, 0 deletions
diff --git a/tests/sql/connect.inc b/tests/sql/connect.inc
new file mode 100644
index 0000000..367d63d
--- /dev/null
+++ b/tests/sql/connect.inc
@@ -0,0 +1,14 @@
1<?php
2
3 $host = getenv("MYSQL_TEST_HOST") ? getenv("MYSQL_TEST_HOST") : "localhost";
4 $port = getenv("MYSQL_TEST_PORT") ? getenv("MYSQL_TEST_PORT") : 3306;
5 $user = getenv("MYSQL_TEST_USER") ? getenv("MYSQL_TEST_USER") : "root";
6 $passwd = getenv("MYSQL_TEST_PASSWD") ? getenv("MYSQL_TEST_PASSWD") : "";
7 $db = getenv("MYSQL_TEST_DB") ? getenv("MYSQL_TEST_DB") : "test";
8 $socket = getenv("MYSQL_TEST_SOCKET") ? getenv("MYSQL_TEST_SOCKET") : null;
9
10 function connect_mysqli_oostyle() {
11 global $host, $port, $user, $passwd, $db, $socket;
12 return new mysqli($host, $user, $passwd, $db, $port, $socket);
13 }
14?> \ No newline at end of file
diff --git a/tests/sql/mysqli_comment_conditional.phpt b/tests/sql/mysqli_comment_conditional.phpt
new file mode 100644
index 0000000..0436c64
--- /dev/null
+++ b/tests/sql/mysqli_comment_conditional.phpt
@@ -0,0 +1,25 @@
1--TEST--
2Mysqli query with SQL comment protection and MySQL condition (/*!...*/)
3--INI--
4extension=mysqli.so
5suhosin.sql.bailout_on_error=0
6suhosin.sql.comment=2
7suhosin.sql.opencomment=0
8suhosin.sql.multiselect=0
9suhosin.sql.union=0
10suhosin.log.stdout=32
11--SKIPIF--
12<?php
13include('skipifmysqli.inc');
14include('skipif.inc');
15?>
16--FILE--
17<?php
18include('connect.inc');
19$mysqli = connect_mysqli_oostyle();
20$result = $mysqli->query("SELECT 1 /*! ... */");
21flush();
22echo "mark.";
23?>
24--EXPECTF--
25mark. \ No newline at end of file
diff --git a/tests/sql/mysqli_comment_cstyle_fail.phpt b/tests/sql/mysqli_comment_cstyle_fail.phpt
new file mode 100644
index 0000000..56a8ccb
--- /dev/null
+++ b/tests/sql/mysqli_comment_cstyle_fail.phpt
@@ -0,0 +1,25 @@
1--TEST--
2Mysqli query with SQL comment (/*...*/) protection set to fail
3--INI--
4extension=mysqli.so
5suhosin.sql.bailout_on_error=0
6suhosin.sql.comment=2
7suhosin.sql.opencomment=0
8suhosin.sql.multiselect=0
9suhosin.sql.union=0
10suhosin.log.stdout=32
11--SKIPIF--
12<?php
13include('skipifmysqli.inc');
14include('skipif.inc');
15?>
16--FILE--
17<?php
18include('connect.inc');
19$mysqli = connect_mysqli_oostyle();
20$result = $mysqli->query("SELECT 1 /* injection */");
21flush();
22echo "mark.";
23?>
24--EXPECTREGEX--
25ALERT - Comment in SQL query.*\) \ No newline at end of file
diff --git a/tests/sql/mysqli_comment_hashstyle_fail.phpt b/tests/sql/mysqli_comment_hashstyle_fail.phpt
new file mode 100644
index 0000000..6f5b517
--- /dev/null
+++ b/tests/sql/mysqli_comment_hashstyle_fail.phpt
@@ -0,0 +1,25 @@
1--TEST--
2Mysqli query with SQL comment (#) protection set to fail
3--INI--
4extension=mysqli.so
5suhosin.sql.bailout_on_error=0
6suhosin.sql.comment=2
7suhosin.sql.opencomment=0
8suhosin.sql.multiselect=0
9suhosin.sql.union=0
10suhosin.log.stdout=32
11--SKIPIF--
12<?php
13include('skipifmysqli.inc');
14include('skipif.inc');
15?>
16--FILE--
17<?php
18include('connect.inc');
19$mysqli = connect_mysqli_oostyle();
20$result = $mysqli->query("SELECT 1 # injection");
21flush();
22echo "mark.";
23?>
24--EXPECTREGEX--
25ALERT - Comment in SQL query.*\) \ No newline at end of file
diff --git a/tests/sql/mysqli_comment_sqlstyle.phpt b/tests/sql/mysqli_comment_sqlstyle.phpt
new file mode 100644
index 0000000..c32c76a
--- /dev/null
+++ b/tests/sql/mysqli_comment_sqlstyle.phpt
@@ -0,0 +1,25 @@
1--TEST--
2Mysqli query with SQL comment (--) protection
3--INI--
4extension=mysqli.so
5suhosin.sql.bailout_on_error=0
6suhosin.sql.comment=1
7suhosin.sql.opencomment=0
8suhosin.sql.multiselect=0
9suhosin.sql.union=0
10suhosin.log.stdout=32
11--SKIPIF--
12<?php
13include('skipifmysqli.inc');
14include('skipif.inc');
15?>
16--FILE--
17<?php
18include('connect.inc');
19$mysqli = connect_mysqli_oostyle();
20$result = $mysqli->query("SELECT 1 -- injection");
21flush();
22echo "mark.";
23?>
24--EXPECTREGEX--
25ALERT - Comment in SQL query.*mark. \ No newline at end of file
diff --git a/tests/sql/mysqli_comment_sqlstyle_fail.phpt b/tests/sql/mysqli_comment_sqlstyle_fail.phpt
new file mode 100644
index 0000000..83e63c5
--- /dev/null
+++ b/tests/sql/mysqli_comment_sqlstyle_fail.phpt
@@ -0,0 +1,25 @@
1--TEST--
2Mysqli query with SQL comment (--) protection set to fail
3--INI--
4extension=mysqli.so
5suhosin.sql.bailout_on_error=0
6suhosin.sql.comment=2
7suhosin.sql.opencomment=0
8suhosin.sql.multiselect=0
9suhosin.sql.union=0
10suhosin.log.stdout=32
11--SKIPIF--
12<?php
13include('skipifmysqli.inc');
14include('skipif.inc');
15?>
16--FILE--
17<?php
18include('connect.inc');
19$mysqli = connect_mysqli_oostyle();
20$result = $mysqli->query("SELECT 1 -- injection");
21flush();
22echo "mark.";
23?>
24--EXPECTREGEX--
25ALERT - Comment in SQL query.*\) \ No newline at end of file
diff --git a/tests/sql/mysqli_connect_invalid_username.phpt b/tests/sql/mysqli_connect_invalid_username.phpt
new file mode 100644
index 0000000..532254f
--- /dev/null
+++ b/tests/sql/mysqli_connect_invalid_username.phpt
@@ -0,0 +1,17 @@
1--TEST--
2Mysqli connect with user_match not matching username
3--INI--
4extension=mysqli.so
5suhosin.log.stdout=32
6--SKIPIF--
7<?php
8include('skipifmysqli.inc');
9include('skipif.inc');
10?>
11--FILE--
12<?php
13include('connect.inc');
14$mysqli = new mysqli($host, "invalid\x01_username", $passwd, $db, $port, $socket);
15?>
16--EXPECTREGEX--
17ALERT - SQL username contains invalid characters.* \ No newline at end of file
diff --git a/tests/sql/mysqli_multiselect.phpt b/tests/sql/mysqli_multiselect.phpt
new file mode 100644
index 0000000..63d6c19
--- /dev/null
+++ b/tests/sql/mysqli_multiselect.phpt
@@ -0,0 +1,25 @@
1--TEST--
2Mysqli query with multiple SELECT statements
3--INI--
4extension=mysqli.so
5suhosin.sql.bailout_on_error=0
6suhosin.sql.comment=0
7suhosin.sql.opencomment=0
8suhosin.sql.multiselect=1
9suhosin.sql.union=0
10suhosin.log.stdout=32
11--SKIPIF--
12<?php
13include('skipifmysqli.inc');
14include('skipif.inc');
15?>
16--FILE--
17<?php
18include('connect.inc');
19$mysqli = connect_mysqli_oostyle();
20$result = $mysqli->query("SELECT 1; SELECT 2");
21flush();
22echo "mark.";
23?>
24--EXPECTREGEX--
25ALERT - Multiple SELECT in SQL query.*mark. \ No newline at end of file
diff --git a/tests/sql/mysqli_multiselect_fail.phpt b/tests/sql/mysqli_multiselect_fail.phpt
new file mode 100644
index 0000000..2bee62a
--- /dev/null
+++ b/tests/sql/mysqli_multiselect_fail.phpt
@@ -0,0 +1,25 @@
1--TEST--
2Mysqli query with multiple SELECT statements set to fail
3--INI--
4extension=mysqli.so
5suhosin.sql.bailout_on_error=0
6suhosin.sql.comment=0
7suhosin.sql.opencomment=0
8suhosin.sql.multiselect=2
9suhosin.sql.union=0
10suhosin.log.stdout=32
11--SKIPIF--
12<?php
13include('skipifmysqli.inc');
14include('skipif.inc');
15?>
16--FILE--
17<?php
18include('connect.inc');
19$mysqli = connect_mysqli_oostyle();
20$result = $mysqli->query("SELECT 1; SELECT 2");
21flush();
22echo "mark.";
23?>
24--EXPECTREGEX--
25ALERT - Multiple SELECT in SQL query.*\) \ No newline at end of file
diff --git a/tests/sql/mysqli_multiselect_subselect.phpt b/tests/sql/mysqli_multiselect_subselect.phpt
new file mode 100644
index 0000000..e629720
--- /dev/null
+++ b/tests/sql/mysqli_multiselect_subselect.phpt
@@ -0,0 +1,25 @@
1--TEST--
2Mysqli query with sub-SELECT
3--INI--
4extension=mysqli.so
5suhosin.sql.bailout_on_error=0
6suhosin.sql.comment=0
7suhosin.sql.opencomment=0
8suhosin.sql.multiselect=1
9suhosin.sql.union=0
10suhosin.log.stdout=32
11--SKIPIF--
12<?php
13include('skipifmysqli.inc');
14include('skipif.inc');
15?>
16--FILE--
17<?php
18include('connect.inc');
19$mysqli = connect_mysqli_oostyle();
20$result = $mysqli->query("SELECT * FROM (SELECT 1)");
21flush();
22echo "mark.";
23?>
24--EXPECTREGEX--
25ALERT - Multiple SELECT in SQL query.*mark. \ No newline at end of file
diff --git a/tests/sql/mysqli_no_constraints.phpt b/tests/sql/mysqli_no_constraints.phpt
new file mode 100644
index 0000000..1d7fff6
--- /dev/null
+++ b/tests/sql/mysqli_no_constraints.phpt
@@ -0,0 +1,26 @@
1--TEST--
2Mysqli connection test without any constraints
3--INI--
4extension=mysqli.so
5suhosin.sql.comment=0
6suhosin.sql.bailout_on_error=0
7suhosin.sql.comment=0
8suhosin.sql.opencomment=0
9suhosin.sql.multiselect=0
10suhosin.sql.union=0
11--SKIPIF--
12<?php
13include('skipifmysqli.inc');
14include('skipif.inc');
15?>
16--FILE--
17<?php
18include('connect.inc');
19$mysqli = connect_mysqli_oostyle();
20$result = $mysqli->query("SELECT 1 AS A UNION SELECT 2 -- injection");
21$rows = $result->fetch_all();
22if ($rows !== null && count($rows) == 2) { echo "ok"; }
23
24?>
25--EXPECTF--
26ok \ No newline at end of file
diff --git a/tests/sql/mysqli_open_comment.phpt b/tests/sql/mysqli_open_comment.phpt
new file mode 100644
index 0000000..29d3536
--- /dev/null
+++ b/tests/sql/mysqli_open_comment.phpt
@@ -0,0 +1,25 @@
1--TEST--
2Mysqli query with SQL open comment protection (/*...)
3--INI--
4extension=mysqli.so
5suhosin.sql.bailout_on_error=0
6suhosin.sql.comment=0
7suhosin.sql.opencomment=1
8suhosin.sql.multiselect=0
9suhosin.sql.union=0
10suhosin.log.stdout=32
11--SKIPIF--
12<?php
13include('skipifmysqli.inc');
14include('skipif.inc');
15?>
16--FILE--
17<?php
18include('connect.inc');
19$mysqli = connect_mysqli_oostyle();
20$result = $mysqli->query("SELECT 1 /*");
21flush();
22echo "mark.";
23?>
24--EXPECTREGEX--
25ALERT - Open comment in SQL query.*mark. \ No newline at end of file
diff --git a/tests/sql/mysqli_open_comment_fail.phpt b/tests/sql/mysqli_open_comment_fail.phpt
new file mode 100644
index 0000000..4645523
--- /dev/null
+++ b/tests/sql/mysqli_open_comment_fail.phpt
@@ -0,0 +1,25 @@
1--TEST--
2Mysqli query with SQL open comment protection (/*...) set to fail
3--INI--
4extension=mysqli.so
5suhosin.sql.bailout_on_error=0
6suhosin.sql.comment=0
7suhosin.sql.opencomment=2
8suhosin.sql.multiselect=0
9suhosin.sql.union=0
10suhosin.log.stdout=32
11--SKIPIF--
12<?php
13include('skipifmysqli.inc');
14include('skipif.inc');
15?>
16--FILE--
17<?php
18include('connect.inc');
19$mysqli = connect_mysqli_oostyle();
20$result = $mysqli->query("SELECT 1 /*");
21flush();
22echo "mark.";
23?>
24--EXPECTREGEX--
25ALERT - Open comment in SQL query.*\) \ No newline at end of file
diff --git a/tests/sql/mysqli_union.phpt b/tests/sql/mysqli_union.phpt
new file mode 100644
index 0000000..9af9c61
--- /dev/null
+++ b/tests/sql/mysqli_union.phpt
@@ -0,0 +1,26 @@
1--TEST--
2Mysqli query with UNION protection
3--INI--
4extension=mysqli.so
5suhosin.sql.bailout_on_error=0
6suhosin.sql.comment=0
7suhosin.sql.opencomment=0
8suhosin.sql.multiselect=0
9suhosin.sql.union=1
10suhosin.log.stdout=32
11--SKIPIF--
12<?php
13include('skipifmysqli.inc');
14include('skipif.inc');
15?>
16--FILE--
17<?php
18include('connect.inc');
19$mysqli = connect_mysqli_oostyle();
20$result = $mysqli->query("SELECT 1 UNION SELECT 2");
21flush();
22echo "mark.";
23
24?>
25--EXPECTREGEX--
26ALERT - UNION in SQL query.*mark. \ No newline at end of file
diff --git a/tests/sql/mysqli_union_fail.phpt b/tests/sql/mysqli_union_fail.phpt
new file mode 100644
index 0000000..ee51a79
--- /dev/null
+++ b/tests/sql/mysqli_union_fail.phpt
@@ -0,0 +1,25 @@
1--TEST--
2Mysqli query with UNION protection set to fail
3--INI--
4extension=mysqli.so
5suhosin.sql.bailout_on_error=0
6suhosin.sql.comment=0
7suhosin.sql.opencomment=0
8suhosin.sql.multiselect=0
9suhosin.sql.union=2
10suhosin.log.stdout=32
11--SKIPIF--
12<?php
13include('skipifmysqli.inc');
14include('skipif.inc');
15?>
16--FILE--
17<?php
18include('connect.inc');
19$mysqli = connect_mysqli_oostyle();
20$result = $mysqli->query("SELECT 1 UNION SELECT 2");
21echo "mark.";
22
23?>
24--EXPECTREGEX--
25ALERT - UNION in SQL query.*\) \ No newline at end of file
diff --git a/tests/sql/mysqli_user_match_error.phpt b/tests/sql/mysqli_user_match_error.phpt
new file mode 100644
index 0000000..69db081
--- /dev/null
+++ b/tests/sql/mysqli_user_match_error.phpt
@@ -0,0 +1,18 @@
1--TEST--
2Mysqli connect with user_match not matching username
3--INI--
4extension=mysqli.so
5suhosin.sql.user_match=complicated_userprefix*
6suhosin.log.stdout=32
7--SKIPIF--
8<?php
9include('skipifmysqli.inc');
10include('skipif.inc');
11?>
12--FILE--
13<?php
14include('connect.inc');
15$mysqli = new mysqli($host, 'invalid_username', $passwd, $db, $port, $socket);
16?>
17--EXPECTREGEX--
18ALERT - SQL username .* does not match.* \ No newline at end of file
diff --git a/tests/sql/mysqli_user_match_ok.phpt b/tests/sql/mysqli_user_match_ok.phpt
new file mode 100644
index 0000000..a2ad832
--- /dev/null
+++ b/tests/sql/mysqli_user_match_ok.phpt
@@ -0,0 +1,18 @@
1--TEST--
2Mysqli connect with user_match matching username
3--INI--
4extension=mysqli.so
5suhosin.sql.user_match=invalid_*
6suhosin.log.stdout=32
7--SKIPIF--
8<?php
9include('skipifmysqli.inc');
10include('skipif.inc');
11?>
12--FILE--
13<?php
14include('connect.inc');
15$mysqli = new mysqli($host, 'invalid_username', $passwd, $db, $port, $socket);
16?>
17--EXPECTREGEX--
18.*Access denied for user 'invalid_username'.* \ No newline at end of file
diff --git a/tests/sql/mysqli_user_postfix.phpt b/tests/sql/mysqli_user_postfix.phpt
new file mode 100644
index 0000000..11e3fe6
--- /dev/null
+++ b/tests/sql/mysqli_user_postfix.phpt
@@ -0,0 +1,18 @@
1--TEST--
2Mysqli connect with user_postfix
3--INI--
4extension=mysqli.so
5suhosin.sql.user_postfix=_post
6suhosin.log.stdout=32
7--SKIPIF--
8<?php
9include('skipifmysqli.inc');
10include('skipif.inc');
11?>
12--FILE--
13<?php
14include('connect.inc');
15$mysqli = new mysqli($host, 'invalid_username', $passwd, $db, $port, $socket);
16?>
17--EXPECTREGEX--
18.*Access denied for user 'invalid_username_post'.* \ No newline at end of file
diff --git a/tests/sql/mysqli_user_prefix.phpt b/tests/sql/mysqli_user_prefix.phpt
new file mode 100644
index 0000000..bb229f0
--- /dev/null
+++ b/tests/sql/mysqli_user_prefix.phpt
@@ -0,0 +1,18 @@
1--TEST--
2Mysqli connect with user_prefix
3--INI--
4extension=mysqli.so
5suhosin.sql.user_prefix=pre_
6suhosin.log.stdout=32
7--SKIPIF--
8<?php
9include('skipifmysqli.inc');
10include('skipif.inc');
11?>
12--FILE--
13<?php
14include('connect.inc');
15$mysqli = new mysqli($host, 'invalid_username', $passwd, $db, $port, $socket);
16?>
17--EXPECTREGEX--
18.*Access denied for user 'pre_invalid_username'.* \ No newline at end of file
diff --git a/tests/sql/skipifmysqli.inc b/tests/sql/skipifmysqli.inc
new file mode 100644
index 0000000..ee16cf1
--- /dev/null
+++ b/tests/sql/skipifmysqli.inc
@@ -0,0 +1,5 @@
1<?php
2if (!extension_loaded("mysqli")) {
3 die('skip - mysqli extension not available');
4}
5?> \ No newline at end of file