Reported error code considered SQL Injection?
Posted
by inquam
on Stack Overflow
See other posts from Stack Overflow
or by inquam
Published on 2010-06-09T11:36:55Z
Indexed on
2010/06/09
11:42 UTC
Read the original article
Hit count: 325
SQL injection that actually runs a SQL command is one thing. But injecting data that doesn't actually run a harmful query but that might tell you something valuable about the database, is that considered SQL injection? Or is it just used as part to construct a valid SQL injection?
An example could be
set rs = conn.execute("select headline from pressReleases
where categoryID = " & cdbl(request("id")) )
Passing this a string that could not be turned into a numeric value would cause
Microsoft VBScript runtime error '800a000d'
Type mismatch: 'cdbl'
which would tell you that the column in question only accepts numeric data and is thus probably of type integer or similar.
I seem to find this in a lot of pages discussing SQL injection, but don't really get an answer if this in itself is considered SQL injection. The reason for my question is that I have a scanning tool that report a SQL injection vulnerability and reports a VBScript runtime error '800a000d' as the reason for the finding.
© Stack Overflow or respective owner