May multiplication operator cause SQL injection?

Question

I am using acunetix to perform part of a security audit on an incoming website. The application is mainly developped with PHP and MySql.

All user input are escaped, but some input (url parameters mainly) remain partially unescaped : I can still send the '*' operator in the string parameter. Acunetix triggers an alert because of it :

Attack details

URL encoded POST input A was set to 417*1*1*1*1*1*1*

Tests performed:

648' => ERROR
648'' => ERROR
883*1*1* => ERROR
545*1*1*1*1 => OK
965*1*1*1*1* => ERROR
880*1*1*1*1*1*1 => OK
417*1*1*1*1*1*1* => ERROR

And I do not understand why it is considered a vulnerability : is the purpose to show that my input is not sufficiently escaped (no matter how actually exploitable the flaw), or is there a real hazard here? And in case there is : how do you exploit it?

Answer 1

By submitting the asterics operator the test provider just checks if the sign is evaluated as string or as an operator. If it throws an error for the syntactically wrong input it can be concluded, that it was not escaped. If some vulnerable code would be submitted, it would be therefore likely to be unescaped as well and therfore harm your infrastructure.

Submitting the asterics itself is considered harmless. Anyway it is just a test to see if there are vulnerabilites, the provider does not want to submit values that actually harm or destroy your test environment.