def test_username_query_sql_inject_attampt(self):
username = "bobsmith"
inject_attempt = quote_plus("x'; delete from users; select * from users")
async with self.pool.acquire() as con:
await con.execute("INSERT INTO users (username, toshi_id) VALUES ($1, $2)", username, TEST_ADDRESS)
resp = await self.fetch("/search/user?query={}".format(inject_attempt), method="GET")
self.assertEqual(resp.code, 200)
body = json_decode(resp.body)
self.assertEqual(len(body['results']), 0)
async with self.pool.acquire() as con:
row = await con.fetchrow("SELECT COUNT(*) AS count FROM users")
self.assertEqual(row['count'], 1)
评论列表
文章目录
