Speced SQLi#place_holder.

spec/exploits/sqli_spec.rb

@@ -25,6 +25,64 @@
     its(:terminate) { should be(false) }
   end
 
+  describe "#place_holder" do
+    it "should return an Integer" do
+      subject.place_holder.should == query_param_value.to_i
+    end
+
+    context "when escape is 'decimal'" do
+      before { subject.escape = 'decimal' }
+
+      it "should return a Float" do
+        subject.place_holder.should == query_param_value.to_f
+      end
+    end
+
+    context "when escape is 'string'" do
+      before { subject.escape = 'string' }
+
+      it "should return a String" do
+        subject.place_holder.should == query_param_value
+      end
+    end
+
+    context "when escape is 'list'" do
+      before { subject.escape = 'list' }
+
+      context "and url_query_param_value is an integer value" do
+        let(:query_param_value) { '2' }
+
+        it "should return an Array containing an Integer" do
+          subject.place_holder.should == [query_param_value.to_i]
+        end
+      end
+
+      context "and url_query_param_value is a decimal value" do
+        let(:query_param_value) { '2.0' }
+
+        it "should return an Array containing a Float" do
+          subject.place_holder.should == [query_param_value.to_f]
+        end
+      end
+
+      context "and url_query_param_value is a string value" do
+        let(:query_param_value) { 'A' }
+
+        it "should return an Array containing a String" do
+          subject.place_holder.should == [query_param_value]
+        end
+      end
+    end
+
+    context "when escape is 'column'" do
+      before { subject.escape = 'column' }
+
+      it "should return a Symbol" do
+        subject.place_holder.should == query_param_value.to_sym
+      end
+    end
+  end
+
   describe "#exploit_url" do
     context "when passed a object that responds to #to_sql" do
       let(:sql)     { subject.sqli.or { 1 == 1 } }