7.1 Code Review and Test Strategy

Effective testing of complex products is essentially a process of investigation, not merely a matter of creating and following routine procedure. Code reviews or walkthroughs are referred to as "static testing," whereas actually running the program with a given set of test cases in a given development stage is often referred to as "dynamic testing."

Testing for SQL injection flaws also requires both static testing and dynamic testing. For static testing, you can begin with a peer (or self) code review and/or make use of a static code analysis tool. After finding and fixing the semantical SQL injection bugs, you then need to perform dynamic testing using tools that generate random input (fuzzing) and also run through test cases you define specifically for SQL injection detection within your code.

In this lesson, you are introduced to various SQL injection testing tools and checklists that will aid you in your quest to detect and rid your code of SQL injection bugs.