Move invalid SQL test cases to dedicated test

hansott · hansott · commit cd9547ef01da · 2026-03-27T16:26:32.000+01:00
diff --git a/aikido_zen/vulnerabilities/sql_injection/init_test.py b/aikido_zen/vulnerabilities/sql_injection/init_test.py
@@ -171,9 +171,6 @@ def test_is_not_injection():
 
 
 def test_allow_escape_sequences():
-    # Invalid queries :
-    is_not_sql_injection("SELECT * FROM users WHERE id = 'users\\'", "users\\")
-
     is_not_sql_injection("SELECT * FROM users WHERE id = 'users\\\\'", "users\\\\")
     is_not_sql_injection("SELECT * FROM users WHERE id = '\nusers'", "\nusers")
     is_not_sql_injection("SELECT * FROM users WHERE id = '\rusers'", "\rusers")
@@ -212,10 +209,6 @@ def test_check_string_safely_escaped():
     is_not_sql_injection(
         'SELECT * FROM comments WHERE comment = "I`m writting you"', "I`m writting you"
     )
-    # Invalid query (strings don't terminate)
-    is_not_sql_injection(
-        "SELECT * FROM comments WHERE comment = 'I'm writting you'", "I'm writting you"
-    )
     # Positive example of same query :
     is_sql_injection(
         "SELECT * FROM comments WHERE comment = 'I'm writting you--'",
@@ -393,6 +386,14 @@ def test_lowercased_input_sql_injection():
 """
 
 
+def test_block_invalid_sql_queries():
+    # These are invalid queries (e.g. unterminated strings) that fail tokenization
+    is_sql_injection("SELECT * FROM users WHERE id = 'users\\'", "users\\")
+    is_sql_injection(
+        "SELECT * FROM comments WHERE comment = 'I'm writting you'", "I'm writting you"
+    )
+
+
 def test_function_calls_as_sql_injections():
     is_sql_injection("foobar()", "foobar()")
     is_sql_injection("foobar(1234567)", "foobar(1234567)")
