0
0
Testing Fundamentalstesting~15 mins

SQL injection testing in Testing Fundamentals - Build an Automation Script

Choose your learning style9 modes available
LearnWhyDeepTraceTryChallengeAutomateRecallFrame
Test login form for SQL injection vulnerability
Preconditions (2)
Step 1: Open the login page URL in a browser
Step 2: In the username field, enter the string: ' OR '1'='1
Step 3: In the password field, enter any value, e.g., 'password'
Step 4: Click the Login button
Step 5: Observe the result
✅ Expected Result: The login should fail and show an error message. The application must not allow login with the SQL injection string.
Automation Requirements - Selenium with Python
Assertions Needed:
Verify that the login is unsuccessful
Verify that an error message is displayed indicating invalid credentials or login failure
Verify that the URL does not change to the dashboard or authenticated page
Best Practices:
Use explicit waits to wait for elements to be visible or clickable
Use meaningful locators like By.ID or By.NAME instead of brittle XPath
Use assertions to check page content and URL
Handle exceptions gracefully to avoid test crashes
Automated Solution
Testing Fundamentals
from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.support.ui import WebDriverWait
from selenium.webdriver.support import expected_conditions as EC
import unittest

class TestSQLInjection(unittest.TestCase):
    def setUp(self):
        self.driver = webdriver.Chrome()
        self.driver.get('https://example.com/login')  # Replace with actual login URL
        self.wait = WebDriverWait(self.driver, 10)

    def test_sql_injection_login(self):
        driver = self.driver
        wait = self.wait

        # Locate username field and enter SQL injection string
        username_field = wait.until(EC.visibility_of_element_located((By.ID, 'username')))
        username_field.clear()
        username_field.send_keys("' OR '1'='1")

        # Locate password field and enter any password
        password_field = driver.find_element(By.ID, 'password')
        password_field.clear()
        password_field.send_keys('password')

        # Click the login button
        login_button = driver.find_element(By.ID, 'loginBtn')
        login_button.click()

        # Wait for error message or login failure indication
        error_message = wait.until(EC.visibility_of_element_located((By.ID, 'errorMsg')))

        # Assert error message is displayed
        self.assertTrue(error_message.is_displayed(), 'Error message should be displayed')

        # Assert URL does not contain dashboard path
        current_url = driver.current_url
        self.assertNotIn('/dashboard', current_url, 'Should not navigate to dashboard on SQL injection')

    def tearDown(self):
        self.driver.quit()

if __name__ == '__main__':
    unittest.main()

This test script uses Selenium with Python's unittest framework.

setUp: Opens the browser and navigates to the login page.

test_sql_injection_login: Enters a classic SQL injection string in the username field and a dummy password, then clicks login.

It waits explicitly for the error message element to appear, ensuring the page has responded.

Assertions check that the error message is visible and the URL does not change to the dashboard, confirming login failure.

tearDown: Closes the browser after the test.

Explicit waits and meaningful locators (By.ID) are used for reliability and maintainability.

Common Mistakes - 4 Pitfalls
Using time.sleep() instead of explicit waits
Using brittle XPath selectors like absolute paths
Not verifying the error message or page URL after login attempt
Hardcoding URLs or credentials inside the test without flexibility
Bonus Challenge

Now add data-driven testing with 3 different SQL injection strings in the username field

Show Hint