From 93721fdd94f90d48b290749398a26cef277ad129 Mon Sep 17 00:00:00 2001
From: Ben Fuhrmannek
Date: Tue, 24 Jun 2014 16:56:21 +0200
Subject: Added SQL injection protection for Mysqli and several test cases

---
 tests/sql/connect.inc                        | 14 ++++++++++++++
 tests/sql/mysqli_comment_conditional.phpt    | 25 +++++++++++++++++++++++++
 tests/sql/mysqli_comment_cstyle_fail.phpt    | 25 +++++++++++++++++++++++++
 tests/sql/mysqli_comment_hashstyle_fail.phpt | 25 +++++++++++++++++++++++++
 tests/sql/mysqli_comment_sqlstyle.phpt       | 25 +++++++++++++++++++++++++
 tests/sql/mysqli_comment_sqlstyle_fail.phpt  | 25 +++++++++++++++++++++++++
 tests/sql/mysqli_multiselect.phpt            | 25 +++++++++++++++++++++++++
 tests/sql/mysqli_multiselect_fail.phpt       | 25 +++++++++++++++++++++++++
 tests/sql/mysqli_multiselect_subselect.phpt  | 25 +++++++++++++++++++++++++
 tests/sql/mysqli_no_constraints.phpt         | 26 ++++++++++++++++++++++++++
 tests/sql/mysqli_open_comment.phpt           | 25 +++++++++++++++++++++++++
 tests/sql/mysqli_open_comment_fail.phpt      | 25 +++++++++++++++++++++++++
 tests/sql/mysqli_union.phpt                  | 26 ++++++++++++++++++++++++++
 tests/sql/mysqli_union_fail.phpt             | 25 +++++++++++++++++++++++++
 tests/sql/skipifmysqli.inc                   |  5 +++++
 15 files changed, 346 insertions(+)
 create mode 100644 tests/sql/connect.inc
 create mode 100644 tests/sql/mysqli_comment_conditional.phpt
 create mode 100644 tests/sql/mysqli_comment_cstyle_fail.phpt
 create mode 100644 tests/sql/mysqli_comment_hashstyle_fail.phpt
 create mode 100644 tests/sql/mysqli_comment_sqlstyle.phpt
 create mode 100644 tests/sql/mysqli_comment_sqlstyle_fail.phpt
 create mode 100644 tests/sql/mysqli_multiselect.phpt
 create mode 100644 tests/sql/mysqli_multiselect_fail.phpt
 create mode 100644 tests/sql/mysqli_multiselect_subselect.phpt
 create mode 100644 tests/sql/mysqli_no_constraints.phpt
 create mode 100644 tests/sql/mysqli_open_comment.phpt
 create mode 100644 tests/sql/mysqli_open_comment_fail.phpt
 create mode 100644 tests/sql/mysqli_union.phpt
 create mode 100644 tests/sql/mysqli_union_fail.phpt
 create mode 100644 tests/sql/skipifmysqli.inc

(limited to 'tests/sql')

diff --git a/tests/sql/connect.inc b/tests/sql/connect.inc
new file mode 100644
index 0000000..367d63d
--- /dev/null
+++ b/tests/sql/connect.inc
@@ -0,0 +1,14 @@
+<?php
+
+	$host      = getenv("MYSQL_TEST_HOST")     ? getenv("MYSQL_TEST_HOST") : "localhost";
+	$port      = getenv("MYSQL_TEST_PORT")     ? getenv("MYSQL_TEST_PORT") : 3306;
+	$user      = getenv("MYSQL_TEST_USER")     ? getenv("MYSQL_TEST_USER") : "root";
+	$passwd    = getenv("MYSQL_TEST_PASSWD")   ? getenv("MYSQL_TEST_PASSWD") : "";
+	$db        = getenv("MYSQL_TEST_DB")       ? getenv("MYSQL_TEST_DB") : "test";
+	$socket    = getenv("MYSQL_TEST_SOCKET")   ? getenv("MYSQL_TEST_SOCKET") : null;
+
+	function connect_mysqli_oostyle() {
+		global $host, $port, $user, $passwd, $db, $socket;
+		return new mysqli($host, $user, $passwd, $db, $port, $socket);
+	}
+?>
\ No newline at end of file
diff --git a/tests/sql/mysqli_comment_conditional.phpt b/tests/sql/mysqli_comment_conditional.phpt
new file mode 100644
index 0000000..0436c64
--- /dev/null
+++ b/tests/sql/mysqli_comment_conditional.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Mysqli query with SQL comment protection and MySQL condition (/*!...*/)
+--INI--
+extension=mysqli.so
+suhosin.sql.bailout_on_error=0
+suhosin.sql.comment=2
+suhosin.sql.opencomment=0
+suhosin.sql.multiselect=0
+suhosin.sql.union=0
+suhosin.log.stdout=32
+--SKIPIF--
+<?php
+include('skipifmysqli.inc');
+include('skipif.inc');
+?>
+--FILE--
+<?php
+include('connect.inc');
+$mysqli = connect_mysqli_oostyle();
+$result = $mysqli->query("SELECT 1 /*! ... */");
+flush();
+echo "mark.";
+?>
+--EXPECTF--
+mark.
\ No newline at end of file
diff --git a/tests/sql/mysqli_comment_cstyle_fail.phpt b/tests/sql/mysqli_comment_cstyle_fail.phpt
new file mode 100644
index 0000000..56a8ccb
--- /dev/null
+++ b/tests/sql/mysqli_comment_cstyle_fail.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Mysqli query with SQL comment (/*...*/) protection set to fail
+--INI--
+extension=mysqli.so
+suhosin.sql.bailout_on_error=0
+suhosin.sql.comment=2
+suhosin.sql.opencomment=0
+suhosin.sql.multiselect=0
+suhosin.sql.union=0
+suhosin.log.stdout=32
+--SKIPIF--
+<?php
+include('skipifmysqli.inc');
+include('skipif.inc');
+?>
+--FILE--
+<?php
+include('connect.inc');
+$mysqli = connect_mysqli_oostyle();
+$result = $mysqli->query("SELECT 1 /* injection */");
+flush();
+echo "mark.";
+?>
+--EXPECTREGEX--
+ALERT - Comment in SQL query.*\)
\ No newline at end of file
diff --git a/tests/sql/mysqli_comment_hashstyle_fail.phpt b/tests/sql/mysqli_comment_hashstyle_fail.phpt
new file mode 100644
index 0000000..6f5b517
--- /dev/null
+++ b/tests/sql/mysqli_comment_hashstyle_fail.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Mysqli query with SQL comment (#) protection set to fail
+--INI--
+extension=mysqli.so
+suhosin.sql.bailout_on_error=0
+suhosin.sql.comment=2
+suhosin.sql.opencomment=0
+suhosin.sql.multiselect=0
+suhosin.sql.union=0
+suhosin.log.stdout=32
+--SKIPIF--
+<?php
+include('skipifmysqli.inc');
+include('skipif.inc');
+?>
+--FILE--
+<?php
+include('connect.inc');
+$mysqli = connect_mysqli_oostyle();
+$result = $mysqli->query("SELECT 1 # injection");
+flush();
+echo "mark.";
+?>
+--EXPECTREGEX--
+ALERT - Comment in SQL query.*\)
\ No newline at end of file
diff --git a/tests/sql/mysqli_comment_sqlstyle.phpt b/tests/sql/mysqli_comment_sqlstyle.phpt
new file mode 100644
index 0000000..c32c76a
--- /dev/null
+++ b/tests/sql/mysqli_comment_sqlstyle.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Mysqli query with SQL comment (--) protection
+--INI--
+extension=mysqli.so
+suhosin.sql.bailout_on_error=0
+suhosin.sql.comment=1
+suhosin.sql.opencomment=0
+suhosin.sql.multiselect=0
+suhosin.sql.union=0
+suhosin.log.stdout=32
+--SKIPIF--
+<?php
+include('skipifmysqli.inc');
+include('skipif.inc');
+?>
+--FILE--
+<?php
+include('connect.inc');
+$mysqli = connect_mysqli_oostyle();
+$result = $mysqli->query("SELECT 1 -- injection");
+flush();
+echo "mark.";
+?>
+--EXPECTREGEX--
+ALERT - Comment in SQL query.*mark.
\ No newline at end of file
diff --git a/tests/sql/mysqli_comment_sqlstyle_fail.phpt b/tests/sql/mysqli_comment_sqlstyle_fail.phpt
new file mode 100644
index 0000000..83e63c5
--- /dev/null
+++ b/tests/sql/mysqli_comment_sqlstyle_fail.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Mysqli query with SQL comment (--) protection set to fail
+--INI--
+extension=mysqli.so
+suhosin.sql.bailout_on_error=0
+suhosin.sql.comment=2
+suhosin.sql.opencomment=0
+suhosin.sql.multiselect=0
+suhosin.sql.union=0
+suhosin.log.stdout=32
+--SKIPIF--
+<?php
+include('skipifmysqli.inc');
+include('skipif.inc');
+?>
+--FILE--
+<?php
+include('connect.inc');
+$mysqli = connect_mysqli_oostyle();
+$result = $mysqli->query("SELECT 1 -- injection");
+flush();
+echo "mark.";
+?>
+--EXPECTREGEX--
+ALERT - Comment in SQL query.*\)
\ No newline at end of file
diff --git a/tests/sql/mysqli_multiselect.phpt b/tests/sql/mysqli_multiselect.phpt
new file mode 100644
index 0000000..63d6c19
--- /dev/null
+++ b/tests/sql/mysqli_multiselect.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Mysqli query with multiple SELECT statements
+--INI--
+extension=mysqli.so
+suhosin.sql.bailout_on_error=0
+suhosin.sql.comment=0
+suhosin.sql.opencomment=0
+suhosin.sql.multiselect=1
+suhosin.sql.union=0
+suhosin.log.stdout=32
+--SKIPIF--
+<?php
+include('skipifmysqli.inc');
+include('skipif.inc');
+?>
+--FILE--
+<?php
+include('connect.inc');
+$mysqli = connect_mysqli_oostyle();
+$result = $mysqli->query("SELECT 1; SELECT 2");
+flush();
+echo "mark.";
+?>
+--EXPECTREGEX--
+ALERT - Multiple SELECT in SQL query.*mark.
\ No newline at end of file
diff --git a/tests/sql/mysqli_multiselect_fail.phpt b/tests/sql/mysqli_multiselect_fail.phpt
new file mode 100644
index 0000000..2bee62a
--- /dev/null
+++ b/tests/sql/mysqli_multiselect_fail.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Mysqli query with multiple SELECT statements set to fail
+--INI--
+extension=mysqli.so
+suhosin.sql.bailout_on_error=0
+suhosin.sql.comment=0
+suhosin.sql.opencomment=0
+suhosin.sql.multiselect=2
+suhosin.sql.union=0
+suhosin.log.stdout=32
+--SKIPIF--
+<?php
+include('skipifmysqli.inc');
+include('skipif.inc');
+?>
+--FILE--
+<?php
+include('connect.inc');
+$mysqli = connect_mysqli_oostyle();
+$result = $mysqli->query("SELECT 1; SELECT 2");
+flush();
+echo "mark.";
+?>
+--EXPECTREGEX--
+ALERT - Multiple SELECT in SQL query.*\)
\ No newline at end of file
diff --git a/tests/sql/mysqli_multiselect_subselect.phpt b/tests/sql/mysqli_multiselect_subselect.phpt
new file mode 100644
index 0000000..e629720
--- /dev/null
+++ b/tests/sql/mysqli_multiselect_subselect.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Mysqli query with sub-SELECT
+--INI--
+extension=mysqli.so
+suhosin.sql.bailout_on_error=0
+suhosin.sql.comment=0
+suhosin.sql.opencomment=0
+suhosin.sql.multiselect=1
+suhosin.sql.union=0
+suhosin.log.stdout=32
+--SKIPIF--
+<?php
+include('skipifmysqli.inc');
+include('skipif.inc');
+?>
+--FILE--
+<?php
+include('connect.inc');
+$mysqli = connect_mysqli_oostyle();
+$result = $mysqli->query("SELECT * FROM (SELECT 1)");
+flush();
+echo "mark.";
+?>
+--EXPECTREGEX--
+ALERT - Multiple SELECT in SQL query.*mark.
\ No newline at end of file
diff --git a/tests/sql/mysqli_no_constraints.phpt b/tests/sql/mysqli_no_constraints.phpt
new file mode 100644
index 0000000..1d7fff6
--- /dev/null
+++ b/tests/sql/mysqli_no_constraints.phpt
@@ -0,0 +1,26 @@
+--TEST--
+Mysqli connection test without any constraints
+--INI--
+extension=mysqli.so
+suhosin.sql.comment=0
+suhosin.sql.bailout_on_error=0
+suhosin.sql.comment=0
+suhosin.sql.opencomment=0
+suhosin.sql.multiselect=0
+suhosin.sql.union=0
+--SKIPIF--
+<?php
+include('skipifmysqli.inc');
+include('skipif.inc');
+?>
+--FILE--
+<?php
+include('connect.inc');
+$mysqli = connect_mysqli_oostyle();
+$result = $mysqli->query("SELECT 1 AS A UNION SELECT 2 -- injection");
+$rows = $result->fetch_all();
+if ($rows !== null && count($rows) == 2) { echo "ok"; }
+
+?>
+--EXPECTF--
+ok
\ No newline at end of file
diff --git a/tests/sql/mysqli_open_comment.phpt b/tests/sql/mysqli_open_comment.phpt
new file mode 100644
index 0000000..29d3536
--- /dev/null
+++ b/tests/sql/mysqli_open_comment.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Mysqli query with SQL open comment protection (/*...)
+--INI--
+extension=mysqli.so
+suhosin.sql.bailout_on_error=0
+suhosin.sql.comment=0
+suhosin.sql.opencomment=1
+suhosin.sql.multiselect=0
+suhosin.sql.union=0
+suhosin.log.stdout=32
+--SKIPIF--
+<?php
+include('skipifmysqli.inc');
+include('skipif.inc');
+?>
+--FILE--
+<?php
+include('connect.inc');
+$mysqli = connect_mysqli_oostyle();
+$result = $mysqli->query("SELECT 1 /*");
+flush();
+echo "mark.";
+?>
+--EXPECTREGEX--
+ALERT - Open comment in SQL query.*mark.
\ No newline at end of file
diff --git a/tests/sql/mysqli_open_comment_fail.phpt b/tests/sql/mysqli_open_comment_fail.phpt
new file mode 100644
index 0000000..4645523
--- /dev/null
+++ b/tests/sql/mysqli_open_comment_fail.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Mysqli query with SQL open comment protection (/*...) set to fail
+--INI--
+extension=mysqli.so
+suhosin.sql.bailout_on_error=0
+suhosin.sql.comment=0
+suhosin.sql.opencomment=2
+suhosin.sql.multiselect=0
+suhosin.sql.union=0
+suhosin.log.stdout=32
+--SKIPIF--
+<?php
+include('skipifmysqli.inc');
+include('skipif.inc');
+?>
+--FILE--
+<?php
+include('connect.inc');
+$mysqli = connect_mysqli_oostyle();
+$result = $mysqli->query("SELECT 1 /*");
+flush();
+echo "mark.";
+?>
+--EXPECTREGEX--
+ALERT - Open comment in SQL query.*\)
\ No newline at end of file
diff --git a/tests/sql/mysqli_union.phpt b/tests/sql/mysqli_union.phpt
new file mode 100644
index 0000000..9af9c61
--- /dev/null
+++ b/tests/sql/mysqli_union.phpt
@@ -0,0 +1,26 @@
+--TEST--
+Mysqli query with UNION protection
+--INI--
+extension=mysqli.so
+suhosin.sql.bailout_on_error=0
+suhosin.sql.comment=0
+suhosin.sql.opencomment=0
+suhosin.sql.multiselect=0
+suhosin.sql.union=1
+suhosin.log.stdout=32
+--SKIPIF--
+<?php
+include('skipifmysqli.inc');
+include('skipif.inc');
+?>
+--FILE--
+<?php
+include('connect.inc');
+$mysqli = connect_mysqli_oostyle();
+$result = $mysqli->query("SELECT 1 UNION SELECT 2");
+flush();
+echo "mark.";
+
+?>
+--EXPECTREGEX--
+ALERT - UNION in SQL query.*mark.
\ No newline at end of file
diff --git a/tests/sql/mysqli_union_fail.phpt b/tests/sql/mysqli_union_fail.phpt
new file mode 100644
index 0000000..ee51a79
--- /dev/null
+++ b/tests/sql/mysqli_union_fail.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Mysqli query with UNION protection set to fail
+--INI--
+extension=mysqli.so
+suhosin.sql.bailout_on_error=0
+suhosin.sql.comment=0
+suhosin.sql.opencomment=0
+suhosin.sql.multiselect=0
+suhosin.sql.union=2
+suhosin.log.stdout=32
+--SKIPIF--
+<?php
+include('skipifmysqli.inc');
+include('skipif.inc');
+?>
+--FILE--
+<?php
+include('connect.inc');
+$mysqli = connect_mysqli_oostyle();
+$result = $mysqli->query("SELECT 1 UNION SELECT 2");
+echo "mark.";
+
+?>
+--EXPECTREGEX--
+ALERT - UNION in SQL query.*\)
\ No newline at end of file
diff --git a/tests/sql/skipifmysqli.inc b/tests/sql/skipifmysqli.inc
new file mode 100644
index 0000000..ee16cf1
--- /dev/null
+++ b/tests/sql/skipifmysqli.inc
@@ -0,0 +1,5 @@
+<?php
+if (!extension_loaded("mysqli")) {
+	die('skip - mysqli extension not available');
+}
+?>
\ No newline at end of file
-- 
cgit v1.3