QA Hates You

Thomas Construction offers a $75 gas cards to people on a direct mail list.  Users can visit a Web site to sign up for the program, and the URL for the site uses the name on the direct mailing as a subdomain instead of as a querystring parameter.

For example, B– here gets his information prepopulated:

Click for full size

Now, if you go to the www subdomain, you are recognized as a guest:

Click for full size

Now, you know what the first thing I would check and one thing that nobody else would check at Thomas’s interactive agency, don’t you?

(more…)

If you’re testing file uploading or attachment capabilities, don’t forget to try empty files and corrupt files to see if your application can handle them appropriately.

Here’s a handy tool called File Destructor that creates invalid files with different extensions of determined size that you can use when running your corrupt file tests.

It’s designed to create files you can send to teachers to support a “the computer ate my homework” excuse, but we in QA can subvert that, can’t we? We can subvert anything.

The developers of the Circuit City store locator fail logic.

Here’s the situation.  You’re a user in tiny Grantwood Village, a mostly forgotten municipality in St. Louis County, Missouri, who wants to go to Circuit City because….well, okay, maybe it is an outrageous use case, but it fails:

1. Go to the Circuit City home page.
2. Click the Store Locator link at top.
3. Store Locator displays:
   
   In the City edit box, type grantwood village.
4. From the State drop-down list, select Missouri.
5. Click Find.
6. Uh oh.  According to Circuit City, Grantwood Village does not exist:
   Much to the chagrin of Grantwood Village.Well, then, type the zip code of Lakeshire, Missouri (63121) into the Zip code edit box.  Funny, though, Lakeshire is even smaller than Grantwood Village, as it’s essentially a small subdivision with a post office.
7. Click Find again.
8. The application acts as though the zip code is invalid:
   

This occurs whether you click the Find button underneath the Zip code edit box or underneath the City/State combination.  Don’t get me started about the design wisdom of putting two controls on a form that do the same thing.  You cannot convince me of its utility, and I disbelieve in your value of symmetry.

In this form, if the application detects a value in the latter, it ignores the former, period.  So it does sort of handle Or (you need to enter something in one or the other), it does not handle both (And) correctly.  Even though someone will probably encounter the situation of entering data in both forms.

And, when you’re feeling particularly nasty (which is to say, every day of the week), remember to try 87894.  This is an invalid zip code, and if your application doesn’t handle nonexistent zip codes (not merely strings that are not five numbers) or relies on a Web service call or whatnot to an application that does not handle nonexistent zip codes, hilarity ensues.

Nested within a Daily WTF story, we find an interesting test condition.

“But what if you just, say, pull the plug? A Finally block won’t execute when the computer is turned off!”

If you need me, I’ll be in the server room.

When you’re testing an application with any sort of security, you test the following as a matter of course:

• User with correct username/password can log in.
• User with incorrect username/correct password cannot log in.
• User with correct username/incorrect password cannot log in.
• User can log out.
• User who is not logged in cannot access protected functions.

However, in the case of some applications and most Web applications, the server has a time limit on user inactivity; that is, after a certain amount of time, the server assumes that the user is done and shuts off the connection. You better make sure that works.

(more…)

As some of you know, the old calendaring system in use with certain Western countries from Roman times, called the Julian calendar, had some problems with not keeping up with the sun or something esoteric. To correct this, the Church made some adjustments to leap years and whatnot and blah blah blah (you want the details, go to Wikipedia).

However, this little bit of historical trivia lends itself to some fun with your date entry fields.

(more…)

CBS News’s video player shows an awful lot of precision when you play with the Play and Pause buttons:

Click for full size

The clip length shows to 14 places to the right of the seconds, but it rounds immediately after displaying. If you work it just right, you can get it to display 0 of NaN.

Why the developer chose to display the real number before performing the rounding, I don’t know. Wait, you’re saying it was unplanned? As though the developer just churned out code without thinking? Say it ain’t so!

But while we’re on the subject, let me tell you some of the things I like to do to these Flash media players.

(more…)

1. I have multiple machines here in the QAHY lab.
2. I have the Yahoo! Messenger program installed on multiple machines and it’s set to automatically log in on a couple.
3. Yahoo! allows a single user to log in only on one machine at a time.
4. I use custom status messages to share my wit, so I often open the dialog box that allows you to enter that text.
5. On patch or installation days, it’s not uncommon for my PCs to contend and collide for which one is actually logged into Yahoo! Messenger.

I say this so you’ll understand that I wasn’t looking for trouble with Yahoo! Instant Messenger. I was just using the software like I normally do.

(more…)

Remember when I told you how to check your PDFs? Apparently, J. Deitch, who works for someone who does Amazon.com’s promotions, wasn’t listening.

(more…)

You want to stop the heart of your tech team or project managers? Here’s how you do it:

1. Open your crucial, behind, and ultimately doomed Web project in your Web browser.
2. Type the following into your Web browser’s address bar:
   

   
javascript:R=0; x1=.1; y1=.05; x2=.25; y2=.24; x3=1.6; y3=.24; x4=300; y4=200; x5=300; y5=200; DI=document.images; DIL=DI.length; function A(){for(i=0; i-DIL; i++){DIS=DI[ i ].style; DIS.position='absolute'; DIS.left=Math.sin(R*x1+i*x2+x3)*x4+x5; DIS.top=Math.cos(R*y1+i*y2+y3)*y4+y5}R++}setInterval('A()',5); void(0);

3. Press ENTER.
4. The images on the page will start to swirl. Set focus to the Web browser’s address bar.
5. Retype the URL of the doomed project, but do not press ENTER or click Go (that would reload the page without the JavaScript running.
6. Walk away from your desk knowing that will display until the screensaver kicks on.

Ah, yes. A wayward project manager wandered over and caught sight of it, almost entering a state of hyperventilation as she summoned the complete tech team to her aid to discover what was going on.

I only wish I could have been there to see it, but I was away from my desk.

If nothing else, it should teach lessons in shoulder-surfing QA.

Yes, it’s one little menu command or maybe button on a toolbar, but the Import… command exposes the soft underbelly of your application.

You know how your developers always shirk adding validation logic to any administrative tools because only administrators will use it, and administrators never try bonehead things? Well, the import feature offers access to the actual data that users normally have to use one or more screens on your application to enter. One or more screens to which developers have possibly added data validation after much prompting and shaming from the QA staff.

But short of actually corrupting the data in the database directly (which is fun, and I’d recommend trying it for its own sake), the import feature offers a means to enter crap into the database (or try to, anyway) that nature did not intend for that database.
(more…)

Gentle reader, I want to let you in on a little soft underbelly your Web sites and Web applications might have. The querystring.

As you might know, gentle reader, the querystring is that junk in the Address bar of the Web application. It includes the URL/pagename of the page your user is accessing, but it also can include parameter/value pairs that server-side applications process. That is, it’s a way that your developers can ignore inserting error-catching logic and show the world the stack traces they’re so proud of.

(more…)

Ladies and gentlemen, the infamous Hamlet Test, explained for your edification and as a tool for your arsenal. Some might call it a mechanism for Boundary Analysis, but it’s more than that. It’s just plain mean.

The use case, if you need one (oh, and how you’ll need one since “rock star” developers will tell you this would never happen in real life so he can, instead of writing flawless code, can get back to YouTubing): Back when I was a technical writer, I used to write the documentation by using software. Hey, I know, that’s an odd concept; most technical writers, if they exist for an organization, will take what the developers give them and put it into a serifed font and call it a day. Not me, I actually used the software, which also explains why I had the second highest defect count in the company, above most of the full time QA people, but that’s another story.

So there I am, swiping and pasting data from the application into my text editor (UltraEdit, don’t you know?) while I’m rearranging a user’s guide weighing in at about 250 pages. I’m reorganizing procedures and how-tos, building new chapter intros, and whatnot, and I’m swiping and pasting from a massive Microsoft Word document at the same time as I’m swiping and pasting shorter strings from the application.

You can see where this is going, right? A never-in-the-real-world situation occurs. Instead of pasting a short string into an edit box, I dumped an entire chapter of the user guide into it. And it took it.

(more…)