| Review DBMS code (stored procedures, functions, triggers), application code, settings, column and field definitions, and constraints to determine whether the database is protected against invalid input. |
If code exists that allows invalid data to be acted upon or input into the database, this is a finding.
If column/field definitions are not reflective of the data, this is a finding.
If columns/fields do not contain constraints and validity checking where required, this is a finding.
Where a column/field is noted in the system documentation as necessarily free-form, even though its name and context suggest that it should be strongly typed and constrained, the absence of these protections is not a finding.
Where a column/field is clearly identified by name, caption or context as Notes, Comments, Description, Text, etc., the absence of these protections is not a finding.