0
0
Testing Fundamentalstesting~15 mins

Why security testing protects users in Testing Fundamentals - Automation Benefits in Action

Choose your learning style9 modes available
LearnWhyDeepTraceTryChallengeAutomateRecallFrame
Verify login form prevents SQL injection
Preconditions (1)
Step 1: Enter "admin' OR '1'='1" in the username field
Step 2: Enter any password in the password field
Step 3: Click the login button
✅ Expected Result: Login is rejected and an error message is displayed without exposing database errors
Automation Requirements - Selenium with Python
Assertions Needed:
Verify that the error message is displayed
Verify that the URL does not change to a logged-in page
Verify that no database error messages are shown on the page
Best Practices:
Use explicit waits to wait for elements
Use clear and maintainable locators (By.ID, By.NAME)
Use assertions that check visible text and URL
Handle exceptions gracefully
Automated Solution
Testing Fundamentals
from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.support.ui import WebDriverWait
from selenium.webdriver.support import expected_conditions as EC
import unittest

class TestSQLInjection(unittest.TestCase):
    def setUp(self):
        self.driver = webdriver.Chrome()
        self.driver.get('https://example.com/login')
        self.wait = WebDriverWait(self.driver, 10)

    def test_sql_injection_login(self):
        driver = self.driver
        wait = self.wait

        username_input = wait.until(EC.visibility_of_element_located((By.ID, 'username')))
        password_input = driver.find_element(By.ID, 'password')
        login_button = driver.find_element(By.ID, 'loginBtn')

        username_input.clear()
        username_input.send_keys("admin' OR '1'='1")
        password_input.clear()
        password_input.send_keys('anyPassword')
        login_button.click()

        # Wait for error message to appear
        error_message = wait.until(EC.visibility_of_element_located((By.ID, 'errorMsg')))

        # Assert error message is shown
        self.assertIn('Invalid username or password', error_message.text)

        # Assert URL did not change to dashboard
        self.assertNotIn('/dashboard', driver.current_url)

        # Assert no database error text is visible
        page_source = driver.page_source.lower()
        self.assertNotIn('sql syntax', page_source)
        self.assertNotIn('database error', page_source)

    def tearDown(self):
        self.driver.quit()

if __name__ == '__main__':
    unittest.main()

This test script uses Selenium with Python's unittest framework to automate the manual test case.

In setUp, it opens the browser and navigates to the login page.

The test test_sql_injection_login enters a common SQL injection string in the username field and any password, then clicks login.

It waits explicitly for the error message element to appear, then asserts the error message text is correct, ensuring the login was rejected.

It also checks the URL to confirm the user was not redirected to a logged-in page.

Finally, it checks the page source to ensure no database error messages are shown, which would be a security risk.

The tearDown method closes the browser after the test.

This structure follows best practices: explicit waits, clear locators by ID, and meaningful assertions.

Common Mistakes - 4 Pitfalls
Using time.sleep() instead of explicit waits
Using brittle XPath locators like absolute paths
Not checking that no database error messages appear
Not verifying the URL to confirm login failure
Bonus Challenge

Now add data-driven testing with 3 different SQL injection inputs to verify the login form rejects all.

Show Hint