Author Options:

Is showing the user SQL error messages dangerous? Answered

If during error conditions your website shows a page full of SQL messages, does this put you at greater risk of an injection attack?



Best Answer 10 years ago

Yes, and it's bad practice. Not only does it expose the underlying structure of your database, but it also confuses users. Create a fancy, generic error template, and use that, then log the error message somewhere -- the database, a text file, syslog, etc. Never show the user more information than they know what to do with. Have some fun with an error page. Try something like Twitter did with their fail whale.


7 years ago

You need to software-based resolution. I should advise following application
mssql fix allows you to recover sql files of all available SQL Server fomats


10 years ago

The best security practice is always to obscure any information that even has the potential to give the public any visible information about the internal processes of an application or site. Most of the time this information will be harmless, but it can be used for sql injection attacks as well as fuzzing to gain more info which could potentially put your site at risk. That being said, it likely wouldn't cause a problem as there is a very small percentage of people who know what to do with the information, but why take the chance?


10 years ago

Johntron's answer is a good one. Put yourself in the end-user's position (consider when something goes wrong here on I'bles). Does a big SQL traceback, or a stupid JavaScript traceback, really tell the user anything? If not, then capture it and replace with something more understandable -- "We were unable to complete your request. Please fix XYZ and try again." If the SQL error is useful to you or your developers, then send it to the server logs where someone at your end can see and deal with it. If not, send it to the great bit bucket /dev/null.


Answer 10 years ago

In fact, I was referring to the Instructables error page (or lack thereof). To be fair, though, even the messiest errors I have seen on Instructables didn't expose all that much. But hopefully the web designer here will come to agree with Johntron. : )