|
|
@@ -1563,7 +1563,7 @@ func TestSqlInjection(t *testing.T) {
|
|
|
} else if err == nil {
|
|
|
dbt.Errorf("Sql injection successful with arg: %s", arg)
|
|
|
} else {
|
|
|
- dbt.Errorf("Error running query with arg: %s; err: %s", err.Error())
|
|
|
+ dbt.Errorf("Error running query with arg: %s; err: %s", arg, err.Error())
|
|
|
}
|
|
|
}
|
|
|
}
|
|
|
@@ -1577,3 +1577,32 @@ func TestSqlInjection(t *testing.T) {
|
|
|
runTests(t, testdsn, createTest("' OR '1'='1"))
|
|
|
}
|
|
|
}
|
|
|
+
|
|
|
+// Test if inserted data is correctly retrieved after being escaped
|
|
|
+func TestInsertRetrieveEscapedData(t *testing.T) {
|
|
|
+ testData := func(dbt *DBTest) {
|
|
|
+ dbt.mustExec("CREATE TABLE test (v VARCHAR(255))")
|
|
|
+
|
|
|
+ // All sequences that are escaped by EscapeQuotes and EscapeString
|
|
|
+ v := "foo \x00\n\r\x1a\"'\\"
|
|
|
+ dbt.mustExec("INSERT INTO test VALUES (?)", v)
|
|
|
+
|
|
|
+ var out string
|
|
|
+ err := dbt.db.QueryRow("SELECT v FROM test").Scan(&out)
|
|
|
+ if err != nil {
|
|
|
+ dbt.Fatalf("%s", err.Error())
|
|
|
+ }
|
|
|
+
|
|
|
+ if out != v {
|
|
|
+ dbt.Errorf("%q != %q", out, v)
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ dsns := []string{
|
|
|
+ dsn,
|
|
|
+ dsn + "&sql_mode=NO_BACKSLASH_ESCAPES",
|
|
|
+ }
|
|
|
+ for _, testdsn := range dsns {
|
|
|
+ runTests(t, testdsn, testData)
|
|
|
+ }
|
|
|
+}
|
arvenil