Reported error code considered SQL Injection?

Posted by inquam on Stack Overflow See other posts from Stack Overflow or by inquam
Published on 2010-06-09T11:36:55Z Indexed on 2010/06/09 11:42 UTC
Read the original article Hit count: 325

Filed under:
|
|
|

SQL injection that actually runs a SQL command is one thing. But injecting data that doesn't actually run a harmful query but that might tell you something valuable about the database, is that considered SQL injection? Or is it just used as part to construct a valid SQL injection?

An example could be

set rs = conn.execute("select headline from pressReleases 
where categoryID = " & cdbl(request("id")) )

Passing this a string that could not be turned into a numeric value would cause

Microsoft VBScript runtime error '800a000d'
Type mismatch: 'cdbl'

which would tell you that the column in question only accepts numeric data and is thus probably of type integer or similar.

I seem to find this in a lot of pages discussing SQL injection, but don't really get an answer if this in itself is considered SQL injection. The reason for my question is that I have a scanning tool that report a SQL injection vulnerability and reports a VBScript runtime error '800a000d' as the reason for the finding.

© Stack Overflow or respective owner

Related posts about sql

Related posts about database