tapulator — 2013-09-27T03:23:59-04:00 — #1
Dear Sitepoint fellows,
I wonder if anyone likes to share his knowledge about best practices concerning the testing of an implemented input validation.
Some of you surely know of the uncertainty: Is that input validation really working to 100 percent?
Let's say I want to validate that a user input has a certain format. (I obviously use a regular expression for that.) As test case I try out several strings including randomly generated ones and see if they break the validation. If that happens I optimize my regular expression and start the tests over again. This iterative process doesn't bother me, but...
My concern is: How can I make sure that I tested every sequence of the allowed characters? Or in general: How do I gather a complete set of test cases?
Looking forward to your feedback
cpradio — 2013-09-27T09:38:55-04:00 — #2
First off, kudos to taking the initiative and time to do proper testing
On all the projects I do, I try to test as many scenarios as I can, however, I realize I won't get them all when it comes to complicated regex or the like. So I go with what I feel is the most typical errors, a slew of random input, and a few edge cases that I could see others trying to enter. Beyond that, I just watch for issues, and when they arise, I add a test around those specific inputs.
Over time, it becomes rock solid (to the point, looking into the issue and adding a test is more expensive than what it is worth -- at that point, you are in a good position).
I think based on your description, you are set with what you have. You just need to release it, and monitor it.
mittineague — 2013-09-27T17:03:26-04:00 — #3
I always try to limit input as much as possible by "whitelist" (allows what is acceptable) rather than "blacklist" (excludes what is unacceptable).
That is, use radio or checkbox buttons or select options wherever possible.
For text inputs test that it contains only what you want instead of testing for what you don't want.
As cpradio mentioned, for complex input it's nigh impossible to think of every possibilty and I agree that it has to be released and monitored at some point else it will never get released.
tapulator — 2013-09-27T21:07:05-04:00 — #4
Thanks for your input, cpradio and Mittineague! Confirms me that the "iterative approach" is an acceptable solution.
No need to worry about putting too much effort in testing my code. I'm doing this web development thing for a while now.
Over time I was just getting curious if I could use additional, perhaps automated techniques to consolidate my input validation patterns. You have to admit, working on your validation until it "feels" right doesn't seem sophisticated. But if there are no further efficient solutions, I can live with that.
If anybody else likes to share his experiences in testing input validation, go for it.