7.5 Generate Test Cases
When designing SQL injection test cases, keep in mind that each input parameter needs to be tested individually. When testing each parameter, leave all the other parameters unchanged with valid data as their arguments.
It can be tempting to simply delete everything you’re not working with to make things look simpler, particularly with applications that have parameter lines that run into many thousands of characters. Omitting parameters or supplying bad arguments to other parameters when you’re testing another for SQL Injection can break the application in ways that prevent you from determining whether or not SQL Injection is possible.
So, when testing for SQL Injection, always use the full parameter line, supplying every parameter except the one that you are testing with a legitimate value.
 |
Certain object and schema names help to uncover SQL injection vulnerabilities. Use this list of names as input values in your tests. Define test cases that cover the code review checklist. |