One thing, actually two things I always test with any kind of input is using homoglyphic substitution and emojis.
Homoglyphic substitution is when you use weird replacement characters for what seem to be normal latin letters. These are my dangerous i’s: IilɩΙІіاᎥᛁⅠⅰIi. They are the richest family.
Pick any of these, and replace an i in your string, or use it for an int, or use
truefor a Boolean.
Always check what they look like in the DB and the logs. The i’s may be used for an account takeover if smith and smⅰth can be made to coalesce. And the dotless ɩ can wreak havoc in unsuspecting databases. Seach for irongeek homoglyph and you can get a tool to do the heavy lifting for you.
The other painful input item is the pile of poo emoji. I learnt it from people who were a lot more learned in the dark arts than I was. While usually any emoji will do, don’t use smilies, use more modern, more unusual emojis, from a radar dish to a roo. Use it in user names, addresses, anything with free user input and check the DB, whether they are defaulted to ?-marks. If they are, something ought to be done.
