Documents  Decision Records  Risks tp-003.md

tp-003.md

1 Test Case TP-003

Negative test suite for SQL injection: verifies that user-supplied input carrying SQL metacharacters and known injection payloads is treated as literal data. This protocol is the verification of the mitigation of risk record SECR-001.

2 Test Summary

Param Value
Software Version
Tester Name
Date

3 Test Procedure

Test Step # Test Step Description Result Req. Id
1 Prepare a data set containing one record whose text field holds the literal value "O'Brien"
2 Search for the term "O'Brien" and verify that exactly the prepared record is returned and no database error is raised REQ-012
3 Search for the term "' OR '1'='1" and verify that no records are returned and no database error is raised REQ-012
4 Search for the term "'; DROP TABLE records;--" and verify that no records are returned, no database error is raised, and the records table still exists REQ-012
5 Search for the term "1 UNION SELECT username, password FROM users" and verify that no data from other tables appears in the results REQ-012
6 Inspect the database query log for the searches of steps 2 to 5 and verify that each executed statement is a prepared statement with the search term bound as a parameter REQ-010