[OWASP_PHPSEC] Framework testing

Sven Rautenberg sven at rtbg.de
Sun Sep 15 21:14:38 UTC 2013


Am 15.09.2013 23:07, schrieb rahul chaudhary:
> To test framework we need to test if autoloader is working, if front
> controller is working...if requests are handler by proper controllers and
> if the controllers properly process the request and calls correct
> view...all these must be done manually ....right ??
> 
> 
> On Sun, Sep 15, 2013 at 5:06 PM, Sven Rautenberg <sven at rtbg.de> wrote:
> 
>> Am 15.09.2013 23:04, schrieb rahul chaudhary:
>>> Hello All,
>>>
>>> Can someone give me some ideas on how to test the framework because we
>>> cannot do it with PHP as the controllers such as login, logout etc wont
>>> work in there as they use POST, GET COOKIE etc things....
>>>
>>>
>>
>> You can still use PHP. The question is: What do you need tested?
>>
>> _______________________________________________
>> OWASP_PHP_Security_Project mailing list
>> OWASP_PHP_Security_Project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>>
> 
> 
> 

The tests you describe are called integration tests or functional tests,
or end-to-end tests.

They need not to be done manually.

For example, autoloading does not need tests. If it wouldn't work, you
would have noticed, as it fails with a fatal error if classes are not
present. Such an error case is out of scope for testing. It should be
verified that no information is leaking through error messages sent to
the user, but that should be it.

Testing if requests are properly handled should be on the one hand the
task of a unit test of the routing. And I underline "unit test" here,
and I mean that you just instantiate the tested class, and fill it with
mock objects for anything else that touches the outside world.

So after the unit test you know that the requests are getting somewhere.
The integration test part is to verify in an application that the
defined requests end up in the proper controllers.

You can set every variable in PHP. This includes $_GET, $_SERVER etc.

Regards,
Sven


More information about the OWASP_PHP_Security_Project mailing list