2011-06-06 14:17:44 -04:00
|
|
|
require "cases/helper"
|
2008-09-11 16:38:20 -04:00
|
|
|
require 'models/binary'
|
2013-10-18 16:26:39 -04:00
|
|
|
require 'models/author'
|
|
|
|
require 'models/post'
|
2008-09-11 16:38:20 -04:00
|
|
|
|
|
|
|
class SanitizeTest < ActiveRecord::TestCase
|
|
|
|
def setup
|
|
|
|
end
|
|
|
|
|
2013-04-25 20:20:33 -04:00
|
|
|
def test_sanitize_sql_hash_handles_associations
|
2013-05-07 17:35:54 -04:00
|
|
|
quoted_bambi = ActiveRecord::Base.connection.quote("Bambi")
|
|
|
|
quoted_column_name = ActiveRecord::Base.connection.quote_column_name("name")
|
|
|
|
quoted_table_name = ActiveRecord::Base.connection.quote_table_name("adorable_animals")
|
2013-10-18 16:26:39 -04:00
|
|
|
expected_value = "#{quoted_table_name}.#{quoted_column_name} = #{quoted_bambi}"
|
2013-05-06 21:00:11 -04:00
|
|
|
|
|
|
|
assert_equal expected_value, Binary.send(:sanitize_sql_hash, {adorable_animals: {name: 'Bambi'}})
|
2013-04-25 20:20:33 -04:00
|
|
|
end
|
|
|
|
|
2008-09-11 16:38:20 -04:00
|
|
|
def test_sanitize_sql_array_handles_string_interpolation
|
|
|
|
quoted_bambi = ActiveRecord::Base.connection.quote_string("Bambi")
|
|
|
|
assert_equal "name=#{quoted_bambi}", Binary.send(:sanitize_sql_array, ["name=%s", "Bambi"])
|
2008-09-21 12:01:15 -04:00
|
|
|
assert_equal "name=#{quoted_bambi}", Binary.send(:sanitize_sql_array, ["name=%s", "Bambi".mb_chars])
|
2008-09-11 16:38:20 -04:00
|
|
|
quoted_bambi_and_thumper = ActiveRecord::Base.connection.quote_string("Bambi\nand\nThumper")
|
|
|
|
assert_equal "name=#{quoted_bambi_and_thumper}",Binary.send(:sanitize_sql_array, ["name=%s", "Bambi\nand\nThumper"])
|
2008-09-21 12:01:15 -04:00
|
|
|
assert_equal "name=#{quoted_bambi_and_thumper}",Binary.send(:sanitize_sql_array, ["name=%s", "Bambi\nand\nThumper".mb_chars])
|
2008-09-11 16:38:20 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
def test_sanitize_sql_array_handles_bind_variables
|
|
|
|
quoted_bambi = ActiveRecord::Base.connection.quote("Bambi")
|
|
|
|
assert_equal "name=#{quoted_bambi}", Binary.send(:sanitize_sql_array, ["name=?", "Bambi"])
|
2008-09-21 12:01:15 -04:00
|
|
|
assert_equal "name=#{quoted_bambi}", Binary.send(:sanitize_sql_array, ["name=?", "Bambi".mb_chars])
|
2008-09-11 16:38:20 -04:00
|
|
|
quoted_bambi_and_thumper = ActiveRecord::Base.connection.quote("Bambi\nand\nThumper")
|
|
|
|
assert_equal "name=#{quoted_bambi_and_thumper}", Binary.send(:sanitize_sql_array, ["name=?", "Bambi\nand\nThumper"])
|
2008-09-21 12:01:15 -04:00
|
|
|
assert_equal "name=#{quoted_bambi_and_thumper}", Binary.send(:sanitize_sql_array, ["name=?", "Bambi\nand\nThumper".mb_chars])
|
2008-09-11 16:38:20 -04:00
|
|
|
end
|
2013-10-12 07:38:37 -04:00
|
|
|
|
|
|
|
def test_sanitize_sql_array_handles_relations
|
2013-10-18 16:26:39 -04:00
|
|
|
david = Author.create!(name: 'David')
|
|
|
|
david_posts = david.posts.select(:id)
|
|
|
|
|
|
|
|
sub_query_pattern = /\(\bselect\b.*?\bwhere\b.*?\)/i
|
|
|
|
|
|
|
|
select_author_sql = Post.send(:sanitize_sql_array, ['id in (?)', david_posts])
|
|
|
|
assert_match(sub_query_pattern, select_author_sql, 'should sanitize `Relation` as subquery for bind variables')
|
|
|
|
|
|
|
|
select_author_sql = Post.send(:sanitize_sql_array, ['id in (:post_ids)', post_ids: david_posts])
|
|
|
|
assert_match(sub_query_pattern, select_author_sql, 'should sanitize `Relation` as subquery for named bind variables')
|
2013-10-12 07:38:37 -04:00
|
|
|
end
|
2014-02-09 07:05:42 -05:00
|
|
|
|
|
|
|
def test_sanitize_sql_array_handles_empty_statement
|
|
|
|
select_author_sql = Post.send(:sanitize_sql_array, [''])
|
|
|
|
assert_equal('', select_author_sql)
|
|
|
|
end
|
2014-02-27 13:34:21 -05:00
|
|
|
|
|
|
|
def test_sanitize_sql_like
|
|
|
|
assert_equal '100\%', Binary.send(:sanitize_sql_like, '100%')
|
|
|
|
assert_equal 'snake\_cased\_string', Binary.send(:sanitize_sql_like, 'snake_cased_string')
|
|
|
|
assert_equal 'C:\\\\Programs\\\\MsPaint', Binary.send(:sanitize_sql_like, 'C:\\Programs\\MsPaint')
|
|
|
|
assert_equal 'normal string 42', Binary.send(:sanitize_sql_like, 'normal string 42')
|
|
|
|
end
|
|
|
|
|
|
|
|
def test_sanitize_sql_like_with_custom_escape_character
|
|
|
|
assert_equal '100!%', Binary.send(:sanitize_sql_like, '100%', '!')
|
|
|
|
assert_equal 'snake!_cased!_string', Binary.send(:sanitize_sql_like, 'snake_cased_string', '!')
|
2014-04-16 10:45:10 -04:00
|
|
|
assert_equal 'great!!', Binary.send(:sanitize_sql_like, 'great!', '!')
|
|
|
|
assert_equal 'C:\\Programs\\MsPaint', Binary.send(:sanitize_sql_like, 'C:\\Programs\\MsPaint', '!')
|
2014-02-27 13:34:21 -05:00
|
|
|
assert_equal 'normal string 42', Binary.send(:sanitize_sql_like, 'normal string 42', '!')
|
|
|
|
end
|
|
|
|
|
|
|
|
def test_sanitize_sql_like_example_use_case
|
|
|
|
searchable_post = Class.new(Post) do
|
|
|
|
def self.search(term)
|
2014-04-16 10:45:10 -04:00
|
|
|
where("title LIKE ?", sanitize_sql_like(term, '!'))
|
2014-02-27 13:34:21 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2014-04-18 13:45:42 -04:00
|
|
|
assert_sql(/LIKE '20!% !_reduction!_!!'/) do
|
2014-04-16 10:45:10 -04:00
|
|
|
searchable_post.search("20% _reduction_!").to_a
|
2014-02-27 13:34:21 -05:00
|
|
|
end
|
|
|
|
end
|
2008-09-11 16:38:20 -04:00
|
|
|
end
|