Reported error code considered SQL Injection?

SQL injection that actually runs a SQL command is one thing. But injecting data that doesn't actually run a harmful query but that might tell you something valuable about the database, is that considered SQL injection? Or is it just used as part to construct a valid SQL injection?

An example could be

set rs = 开发者_开发技巧conn.execute("select headline from pressReleases 
where categoryID = " & cdbl(request("id")) )

Passing this a string that could not be turned into a numeric value would cause

Microsoft VBScript runtime error '800a000d'
Type mismatch: 'cdbl'

which would tell you that the column in question only accepts numeric data and is thus probably of type integer or similar.

I seem to find this in a lot of pages discussing SQL injection, but don't really get an answer if this in itself is considered SQL injection. The reason for my question is that I have a scanning tool that report a SQL injection vulnerability and reports a VBScript runtime error '800a000d' as the reason for the finding.

This is clearly an SQL injection vulnerability, and it needs to be fixed.

There are a few reasons for this in your scenario:

• Finding out incidental information such as you describe may be useful to an attacker, particulary if they have other attack vectors.
• An attacker finding this vulnerability would be encouraged to go look for some more. Sloppy here may mean sloppy elsewhere.
• In security it is important not to be too clever. Your attacker may know a lot more, or something more, than you do. So what may look to you like a contained vulnerability may be an open door to soneone else.

So yes, your tool is doing the right thing.

I'd say yes! You inject an SQL string and get information you aren't supposed to get. I think that's already "harmful" enough.