353Views5Replies

Author Options:

Is showing the user SQL error messages dangerous? Answered

If during error conditions your website shows a page full of SQL messages, does this put you at greater risk of an injection attack?

Discussions

0
user
Johntron

Best Answer 9 years ago

Yes, and it's bad practice. Not only does it expose the underlying structure of your database, but it also confuses users. Create a fancy, generic error template, and use that, then log the error message somewhere -- the database, a text file, syslog, etc. Never show the user more information than they know what to do with. Have some fun with an error page. Try something like Twitter did with their fail whale.

You need to software-based resolution. I should advise following application
mssql fix allows you to recover sql files of all available SQL Server fomats

The best security practice is always to obscure any information that even has the potential to give the public any visible information about the internal processes of an application or site. Most of the time this information will be harmless, but it can be used for sql injection attacks as well as fuzzing to gain more info which could potentially put your site at risk. That being said, it likely wouldn't cause a problem as there is a very small percentage of people who know what to do with the information, but why take the chance?

Johntron's answer is a good one. Put yourself in the end-user's position (consider when something goes wrong here on I'bles). Does a big SQL traceback, or a stupid JavaScript traceback, really tell the user anything? If not, then capture it and replace with something more understandable -- "We were unable to complete your request. Please fix XYZ and try again." If the SQL error is useful to you or your developers, then send it to the server logs where someone at your end can see and deal with it. If not, send it to the great bit bucket /dev/null.

In fact, I was referring to the Instructables error page (or lack thereof). To be fair, though, even the messiest errors I have seen on Instructables didn't expose all that much. But hopefully the web designer here will come to agree with Johntron. : )