SQL injection on PostgreSQL in integer field?

Question

I was trying https://server/shared/sendemail?sendto=" and got this response:

Database operation "0or1row" failed (exception ERROR, "ERROR: invalid input syntax for integer:""" LINE 4: where user_id = '"'; ^ ") while executing "ns_pg_bind 0or1row nsdb0 { select first_names, last_name from cc_users where user_id = :sendto }" ("uplevel" body line 1) invoked from within "uplevel $ulevel [list ns_pg_bind $type $db $sql]" ("postgresql" arm line 2) invoked from within "switch $driverkey { oracle { return [uplevel $ulevel [list ns_ora $type $db $sql] $args] } ..." 

If I put a random user ID as in https://server/shared/sendemail?sendto=999 the server shows this message:

Query did not return any rows. while executing "db_1row user_to_info { *SQL* }" ("uplevel" body line 22) invoked from within "uplevel { ad_page_contract { Sends an email to the user with user_id = sendto 

My Questions is, it is exploitable? Some explanations of what is happening would be great .

Answer 1

It's not an SQL injection, and shouldn't be directly exploitable as one, since you've used a named parameter (:sendTo) instead of directly concatenating strings.

However, it is indeed exploitable, because an attacker can simply change the ID number and cause your server to spam other accounts with emails.

Also, cases like this one, where the client sends the wrong type of input, will trigger informative error messages; an attacker now knows that you're running PostgreSQL, for example.

Generally, passing input directly to SQL queries without validating it is a very risky practice.