Error Message High Vega has detected error output from a database server. This may indicate an SQL injection vulnerability, though this is not confirmed. If this is due to an SQL injection condition, exploitation of SQL injection vulnerabilities can also allow for attacks against the logic of the application. Attackers may be able to obtain unauthorized access to the server hosting the database. Vega has detected a known SQL error string. This can indicate a possible SQL injection vulnerability. These vulnerabilities are present when externally-supplied input is used to construct a SQL query. If precautions are not taken, the externally-supplied input (usually a GET or POST parameter) can modify the query string such that it performs unintented actions. These actions include gaining unauthorized read or write access to the data stored in the database, as well as modifying the logic of the application. SQL error messages should not be output to clients, as this may be useful information in exploiting any related vulnerability. The developer should review the request and response against the code to manually verify whether or not a vulnerability is present. The best defense against SQL injection vulnerabilities is to use parameterized statements. Sanitizing input can prevent these vulnerabilities. Variables of string types should be filtered for escape characters, and numeric types should be checked to ensure that they are valid. Use of stored procedures can simplify complex queries and allow for tighter access control settings. Configuring database access controls can limit the impact of exploited vulnerabilities. This is a mitigating strategy that can be employed in environments where the code is not modifiable. Object-relational mapping eliminates the need for SQL. CWE-209: Information Exposure Through an Error Message SQL Injection (Wikipedia) mysql_real_escape_string() (PHP Manual) SQL Injection (Rails security guide) How To: Protect from SQL Injection in ASP.NET (MSDN) Dynamic SQL and SQL Injection (Raul Garcia's blog) SQL Injection Prevention Cheat Sheet (OWASP)