From 770beec886a86efe04c08c24ee21e96f2f94d2f3 Mon Sep 17 00:00:00 2001
From: Sean Corfield <sean@worldsingles.com>
Date: Mon, 22 Feb 2021 10:56:32 -0800
Subject: [PATCH] Add test for (v1) SQL Injection in insert #299

---
 test/honey/sql_test.cljc | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/test/honey/sql_test.cljc b/test/honey/sql_test.cljc
index 3337cd8..0868889 100644
--- a/test/honey/sql_test.cljc
+++ b/test/honey/sql_test.cljc
@@ -584,3 +584,13 @@ ORDER BY id = ? DESC
                      (h/where [:= :state 42])
                      (h/order-by [[:= :id 123] :desc]))
                  {:pretty true}))))
+
+
+(deftest issue-299-test
+  (let [name    "test field"
+        ;; this was a bug in v1 -- adding here to prevent regression:
+        enabled [true, "); SELECT case when (SELECT current_setting('is_superuser'))='off' then pg_sleep(0.2) end; -- "]]
+    (is (= ["INSERT INTO table (name, enabled) VALUES (?, (TRUE, ?))" name (second enabled)]
+           (format {:insert-into :table
+                    :values [{:name name
+                              :enabled enabled}]})))))
\ No newline at end of file