Hacker News new | ask | show | jobs
by viraptor 3097 days ago
I agree with some cases, but "is this parameter/input value properly sanitized" is a bit weird. It should only every apply to a) the db framework, b) those N really weird cases that have to break the abstraction and don't use the db framework. If you have to test every input, then the problem is on a completely different level than missing a test.
1 comments
atticusCr 3097 days ago
Kind of, if you have a centralized place to perform input data validation, as it should, then it is just a matter to test that piece of code same if you are using a framework. However, I don't understand why you refer to a db in the first place? Is it because I used the injection attack as an example? if that's the case bare in mind that Injection target other interprets as well not only a db.

But getting back to my original idea, what I want to highlight the need of adding cases to cover application security.

link
viraptor 3096 days ago
Yeah, my mind substituted parameter with query parameter. Too much database stuff at my $dayjob recently and I get tunnel vision ;-)
link
atticusCr 3095 days ago
lol! thanks for your comments.
link