tp-003.md ¶
1 Test Case TP-003 ¶
Negative test suite for SQL injection: verifies that user-supplied input carrying SQL metacharacters and known injection payloads is treated as literal data. This protocol is the verification of the mitigation of risk record SECR-001.
2 Test Summary ¶
| Param | Value |
|---|---|
| Software Version | |
| Tester Name | |
| Date |
3 Test Procedure ¶
| Test Step # | Test Step Description | Result | Req. Id |
|---|---|---|---|
| 1 | Prepare a data set containing one record whose text field holds the literal value "O'Brien" | ||
| 2 | Search for the term "O'Brien" and verify that exactly the prepared record is returned and no database error is raised | REQ-012 | |
| 3 | Search for the term "' OR '1'='1" and verify that no records are returned and no database error is raised | REQ-012 | |
| 4 | Search for the term "'; DROP TABLE records;--" and verify that no records are returned, no database error is raised, and the records table still exists | REQ-012 | |
| 5 | Search for the term "1 UNION SELECT username, password FROM users" and verify that no data from other tables appears in the results | REQ-012 | |
| 6 | Inspect the database query log for the searches of steps 2 to 5 and verify that each executed statement is a prepared statement with the search term bound as a parameter | REQ-010 |