From 064fa452e5d1543ab98528c269d9512934b34285 Mon Sep 17 00:00:00 2001
From: ovclas <ovclas@gmail.com>
Date: Thu, 8 Mar 2012 00:38:42 +0000
Subject: [PATCH] SQL injection defense

git-svn-id: http://xe-core.googlecode.com/svn/trunk@10372 201d5d3c-b55e-5fd7-737f-ddc643e51545
---
 .../xml/xmlquery/argument/Argument.class.php  | 13 +++++--
 .../db/db/xml_query/mysql/MysqlInsertTest.php | 39 +++++++++++++++++++
 .../mysql/data/member_insert_injection.xml    |  9 +++++
 3 files changed, 57 insertions(+), 4 deletions(-)
 create mode 100644 tests/classes/db/db/xml_query/mysql/MysqlInsertTest.php
 create mode 100644 tests/classes/db/db/xml_query/mysql/data/member_insert_injection.xml

diff --git a/classes/xml/xmlquery/argument/Argument.class.php b/classes/xml/xmlquery/argument/Argument.class.php
index 69d0f2800..756c043ea 100644
--- a/classes/xml/xmlquery/argument/Argument.class.php
+++ b/classes/xml/xmlquery/argument/Argument.class.php
@@ -66,12 +66,14 @@
 		}
 
 		function escapeValue($value){
-                        if($this->getType() == 'column_name'){
+			$column_type = $this->getType();
+			if($column_type == 'column_name'){
 				$dbParser = DB::getParser();
 				return $dbParser->parseExpression($value);
-                        }
-                        if(!isset($value)) return null;
-			if(in_array($this->getType(), array('date', 'varchar', 'char','text', 'bigtext'))){
+			}
+			if(!isset($value)) return null;
+			
+			if(in_array($column_type, array('date', 'varchar', 'char','text', 'bigtext'))){
 				if(!is_array($value))
 					$value = $this->_escapeStringValue ($value);
 				else {
@@ -81,6 +83,9 @@
 						//$value[$i] = '\''.$value[$i].'\'';
 				}
 			}
+			if($column_type == 'number')
+				$value = (int)$value;
+			
 			return $value;
 		}
 
diff --git a/tests/classes/db/db/xml_query/mysql/MysqlInsertTest.php b/tests/classes/db/db/xml_query/mysql/MysqlInsertTest.php
new file mode 100644
index 000000000..99dfd7950
--- /dev/null
+++ b/tests/classes/db/db/xml_query/mysql/MysqlInsertTest.php
@@ -0,0 +1,39 @@
+<?php
+
+/**
+ * @class MysqlInsertTest
+ * @brief Constains all test method for insert statements, using Mysql SQL syntax
+ * @developer Corina Udrescu (xe_dev@arnia.ro)
+ */
+class MysqlInsertTest extends MysqlTest 
+{
+	/**
+	 * @brief _test - local helper method
+	 * @developer Corina Udrescu (xe_dev@arnia.ro)
+	 * @access private
+	 * @param $xml_file string - Path to XML file containing the query to be tested
+	 * @param $argsString string - String containing PHP code that initializez the arguments that the query receives
+	 * @param $expected string - Expected SQL query as string
+	 * @param $columnList array - Array containing the column names that will be retrieved, in case only a part of the ones in the query file are needed
+	 * @return void
+	 */
+	function _test($xml_file, $argsString, $expected, $columnList = NULL)
+	{
+		$this->_testQuery($xml_file, $argsString, $expected, 'getInsertSql', $columnList);
+	}
+	
+	function testInsertIntoNumericColumnConvertsValue()
+	{
+		$xml_file = _TEST_PATH_ . "db/xml_query/mysql/data/member_insert_injection.xml";
+		$argsString = '$args->member_srl = 7;
+						$args->find_account_question = "1\'";
+			';
+		$expected = 'insert into `xe_member` (`member_srl`, `find_account_question`) values (7, 1)';
+		$this->_test($xml_file, $argsString, $expected);
+	}
+
+
+}
+
+/* End of file MysqlInsertTest.php */
+/* Location: ./tests/classes/db/db/xml_query/mysql/MysqlInsertTest.php */
diff --git a/tests/classes/db/db/xml_query/mysql/data/member_insert_injection.xml b/tests/classes/db/db/xml_query/mysql/data/member_insert_injection.xml
new file mode 100644
index 000000000..ab10e4b99
--- /dev/null
+++ b/tests/classes/db/db/xml_query/mysql/data/member_insert_injection.xml
@@ -0,0 +1,9 @@
+<query id="insertMember" action="insert">
+    <tables>
+        <table name="member" />
+    </tables>
+    <columns>
+        <column name="member_srl" var="member_srl" filter="number" notnull="notnull" />
+        <column name="find_account_question" var="find_account_question" />
+    </columns>
+</query>