well actually there no injection sql in the var : -page -block it's just an error for type mismatch ... ( Microsoft VBScript runtime error '800a000d' Type mismatch: '[string: "query_blabla"]' i think those guys ( aria ) doesn't understand the difference between an error sql and a injection sql... wich i found funny for a security team ;P