C++: Add additional SQL injection tests

jketema · jketema · commit bfef3150184d · 2025-05-22T20:24:58.000+02:00
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/test.c b/cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/test.c
@@ -75,4 +75,30 @@ void ODBCTests(){
   gets(userInput);
   SQLPrepare(0, userInput, 100); // BAD
   SQLExecDirect(0, userInput, 100); // BAD
-}
+}
+
+char* GetCommandLineA();
+char** CommandLineToArgvA(char *, int*);
+
+void getCommandLine() {
+  char *cmd = GetCommandLineA();
+  int argc;
+  char **argv = CommandLineToArgvA(cmd, &argc);
+
+  // a string from the user is injected directly into an SQL query.
+  char query1[1000] = {0};
+  snprintf(query1, 1000, "SELECT UID FROM USERS where name = \"%s\"", cmd);
+  mysql_query(0, query1); // BAD
+
+  // a string from the user is injected directly into an SQL query.
+  char query2[1000] = {0};
+  snprintf(query2, 1000, "SELECT UID FROM USERS where name = \"%s\"", argv[1]);
+  mysql_query(0, query2); // BAD
+}
+
+int WinMain(void *hInstance, void *hPrevInstance, char *pCmdLine, int nCmdShow) {
+  // a string from the user is injected directly into an SQL query.
+  char query1[1000] = {0};
+  snprintf(query1, 1000, "SELECT UID FROM USERS where name = \"%s\"", pCmdLine);
+  mysql_query(0, query1); // BAD
+}
