Weakly Typed SQL Injection

Programming languages come in two categories:
Hard/Strong Typed
Soft/Weak Typed

Hard Typed languages like Java/C++ demand a developer designate the data type of a variable when writing. Hence the use of types when declaring a variable:

int num = 0;
char letter = '';private string getUserById(int userId){    string query = "select * from users where user_id = " + (string)userId;
    DBConnection connection = new DbUtil();
    return connection.executeNativeSQL(query);
}

And any value assigned that doesn’t match the type will cause the system to come to a halt, if it will even compile in the first place.

So attempting to call the function getUserById("69") with a string as the passed parameter instead of the expected int will cause issues.

Soft Typed languages like Python/Javascript will set the variable type based off the value assigned during run time.

var num = 0;
function getUserById(userId){
    var query = 'select * from users where user_id = '+userId;
    var connection = new DbUtil();
    return connection.executeNativeSQL(query);
}

Attempting to call the function getUserById("69") with a string, int, double, or any type will just be rammed thru and the type casting will be done at run time.

How does this relate to SQL injection? Well, I’m glad I asked.
Developers who grew up in the Strong Typed world of programming have so engrained in their mind that variable types cannot be mismatched that it is common for them to assume integers provided by users could never be a string. Thus leading to SQL injection in common integer insertion points, i.e. ids, rows counts, etc.

A simple test to do.
Look for any numbers being passed in the HTTP body and put it into a string and replay the request to see if the sever handles the request in the same way.