From c9da1b37a23559c5312f2fa154541ac1ec70a96c Mon Sep 17 00:00:00 2001 From: Victor Date: Thu, 27 Mar 2014 14:32:09 +0400 Subject: [PATCH 1/2] test cases related to anonimous functions --- .../PreventSQLInjection.run | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/t/ValuesAndExpressions/PreventSQLInjection.run b/t/ValuesAndExpressions/PreventSQLInjection.run index 4740a08..d231325 100644 --- a/t/ValuesAndExpressions/PreventSQLInjection.run +++ b/t/ValuesAndExpressions/PreventSQLInjection.run @@ -369,6 +369,42 @@ my $sql = "select $var from " . method( $table ) . " where $where"; ## SQL safe my $sql = "select * from " . Acme::XYZ::method($table); +## name Anonimous functions without arguments +## failures 0 +## cut + +my $sql = "select from " . $x->(); ## SQL safe ($x) + +## name Anonimous functions with arguments +## failures 0 +## cut + +my $sql = "select from " . $x->( $y ); ## SQL safe ($x, $y) + +## name Anonimous functions without arguments - another syntax +## failures 0 +## cut + +my $sql = "select from " . &$x; ## SQL safe ($x) + +## name Anonimous functions with arguments - another syntax +## failures 0 +## cut + +my $sql = "select from " . &$x($y); ## SQL safe ($x, $y) + +## name Functions returning anonimous functions without SQL safe +## failures 1 +## cut + +my $sql = "select from " . iterator->(); + +## name Functions returning anonimous functions with SQL safe +## failures 0 +## cut + +my $sql = "select from " . iterator->(); ## SQL safe (&iterator) + ## name Prohibit all quoting methods. ## parms { quoting_methods => '' } ## failures 1 From fb2db98ba21b106106abc0c49ae9d77eba794167 Mon Sep 17 00:00:00 2001 From: Victor Date: Thu, 27 Mar 2014 14:43:26 +0400 Subject: [PATCH 2/2] actually only function veriable should be marked safe --- t/ValuesAndExpressions/PreventSQLInjection.run | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/t/ValuesAndExpressions/PreventSQLInjection.run b/t/ValuesAndExpressions/PreventSQLInjection.run index d231325..39c28e6 100644 --- a/t/ValuesAndExpressions/PreventSQLInjection.run +++ b/t/ValuesAndExpressions/PreventSQLInjection.run @@ -379,7 +379,7 @@ my $sql = "select from " . $x->(); ## SQL safe ($x) ## failures 0 ## cut -my $sql = "select from " . $x->( $y ); ## SQL safe ($x, $y) +my $sql = "select from " . $x->( $y ); ## SQL safe ($x) ## name Anonimous functions without arguments - another syntax ## failures 0 @@ -391,7 +391,7 @@ my $sql = "select from " . &$x; ## SQL safe ($x) ## failures 0 ## cut -my $sql = "select from " . &$x($y); ## SQL safe ($x, $y) +my $sql = "select from " . &$x($y); ## SQL safe ($x) ## name Functions returning anonimous functions without SQL safe ## failures 1