What is a web form?
Web
form is a bundle of components (text labels, text fields, text area, drop down
fields, radio buttons, check boxes, submit button… etc. ) in a web page. I'm assuming that you know the behavior and characteristics of these web components.
Today, I’m going to give you very important set of Tricks & Tips in web form testing.
 |
Test mandatory fields - First of all, just submit the form without fill or select any field. You should see required field validations in front of all mandatory fields. (You can Identify mandatory fields by the * mark display beside the field). |
 |
Test trim functionality – Now, you know the required fields in your web form. Then you add spaces to all required fields and submit. Space is a blank character. You shouldn’t able to submit the form with space in the required fields. If you are able to do, you should report a bug & ask to trim all the required fields. |
 |
ADD/EDIT/DELETE/VIEW – Most of the web forms are based on data management system. So, we have to test workability of basic 4 sqls (insert into, update, delete and select). Try to add a record, edit a record, delete a record and view a record. You can check data from either database or front-end. |
 |
Special character testing – Send special characters (example - ~!@#$%^&*()_+`-=<>?,./:";'{}[]\|.... etc) through the form fields and try whether you can break the app. |
.jpg) |
Test emails - If the form sending emails in graphical format then make sure it displays correctly in all the main email clients. |
 |
Field validation - Your form fields may have validations for field length, email format, phone no format… etc. Then, you need to validate data and check validation messages against the fields. |
 |
Client side validation Vs Server side validation –we use Client side validations (JS validation) to validate user inputs before submit the form. That is light & fast. If JS validations are faster, why server side validations? Basically because, web browsers have an option to disable java scripts. So, someone can bypass JS validations & send harmful data to the server. As a QA engineer you should not forget to check availability of both validation types. |
 |
Post and Get methods – There are two commonly use http request methods. Get and Post. Both can be used depend on the situation. What we need to know is, GET method adds data to the URL and data is visible to everyone in the URL. Now, change URL parameters manually and try to do some unauthorized activity. If you could, you found a BUG! |
 |
Security testing - I always believe a good QA engineer should be a good hacker! No joke! If you are a good hacker, you should be good security tester too. SQL injection The medium which data carrying from web page to DB, is called sql query. If you know the behavior of the query, you may able to access db in irregular way. Let me show you an example. |
SELECT * FROM Users WHERE Username='$username' AND Password='$password'
If we insert below values,
$username = 1' or '1' = '1
$password = 1' or '1' = '1
Then the query will be
SELECT * FROM Users WHERE Username='1' OR '1' = '1' AND Password='1' OR '1' = '1'
And it’s always true and returns all values in users table.
What you can suggest to improve security of a web application?
(1) Include a Captha – captha is use to prevent robotic access. It will avoid spammers who using auto-filling software programs.
(2) Use a secure protocol – have you seen some web sites starts with https:// while others are http://? ‘Https’ is combination of ‘http’ and SSL/TLS, Which is more secure protocol. Communication is encrypted and no one can access data.
Before leave I’ll give you two additional tips.
Tip 1: Give suggestions to improve quality of the application. But you are never allow to exceed the requirement specification. Stay beyond the limit & release your suggestions.
Tip 2: During your test, keep an eye on the URL to make sure you are testing in same test environment. With my experience, I see some QA engineers are start testing in QA environment and end in production. Don’t get entangled. Keep the eye on URL.
