Home/ Questions/Q 859945
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-15T08:44:45+00:00

SQL injection that actually runs a SQL command is one thing. But injecting data

  • 0

SQL injection that actually runs a SQL command is one thing. But injecting data that doesn’t actually run a harmful query but that might tell you something valuable about the database, is that considered SQL injection? Or is it just used as part to construct a valid SQL injection?

An example could be

set rs = conn.execute("select headline from pressReleases 
where categoryID = " & cdbl(request("id")) )

Passing this a string that could not be turned into a numeric value would cause

Microsoft VBScript runtime error '800a000d'
Type mismatch: 'cdbl'

which would tell you that the column in question only accepts numeric data and is thus probably of type integer or similar.

I seem to find this in a lot of pages discussing SQL injection, but don’t really get an answer if this in itself is considered SQL injection. The reason for my question is that I have a scanning tool that report a SQL injection vulnerability and reports a VBScript runtime error ‘800a000d’ as the reason for the finding.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This is clearly an SQL injection vulnerability, and it needs to be fixed.

    There are a few reasons for this in your scenario:

    • Finding out incidental information such as you describe may be useful to an attacker, particulary if they have other attack vectors.
    • An attacker finding this vulnerability would be encouraged to go look for some more. Sloppy here may mean sloppy elsewhere.
    • In security it is important not to be too clever. Your attacker may know a lot more, or something more, than you do. So what may look to you like a contained vulnerability may be an open door to soneone else.

    So yes, your tool is doing the right thing.

    • 0