30 lines
598 B
Go
30 lines
598 B
Go
package gorm_test
|
|
|
|
import "testing"
|
|
|
|
func TestOrderSQLInjection(t *testing.T) {
|
|
DB.AutoMigrate(new(User))
|
|
|
|
DB.Save(&User{Name: "jinzhu"})
|
|
|
|
var users []*User
|
|
DB.Order("id;delete from users;commit;").Find(&users)
|
|
|
|
if len(users) != 1 {
|
|
t.Error("Seems like it's possible to use SQL injection with ORDER BY")
|
|
}
|
|
}
|
|
|
|
func TestGroupSQLInjection(t *testing.T) {
|
|
DB.AutoMigrate(new(User))
|
|
|
|
DB.Save(&User{Name: "jinzhu"})
|
|
|
|
var users []*User
|
|
DB.Group("name;delete from users;commit;").Find(&users)
|
|
|
|
if len(users) != 1 {
|
|
t.Error("Seems like it's possible to use SQL injection with GROUP BY")
|
|
}
|
|
}
|