MySQL query bypass

Question

MySQL query bypass

In MySQL, comments can be inserted into keywords , which provides another way to circumvent some input validation filters, while preserving the syntax of the actual query. For instance:

SEL/*foo*/ECT username,password FR/*foo*/OM users

But how can one comment things between saved words? what is the advantage? And why is this a kind of workaround?

It seems to be buggy!

+5

php mysql sql injection

revo Mar 22 '13 at 22:27

source share

2 answers

. mysql, , mysql.
(5.5.24), , :

sele/*ops*/ct name from tableName

:

You have an error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near 'sele/*ops*/ct name from
tableName' at line 1

:

select na/*ops*/me from tableName

:

Unknown column 'na' in 'field list'

, . , :

select name/*ops*/ from tableName

+1

Siamak A.Motlagh 22 . '13 23:01

Michael Fredrickson · Accepted Answer · 2013-03-22T22:51:20+0000

This quote is from a book since 2007 ... maybe this was true for earlier versions of MySql, but I can not find a version of MySQL in which this syntax does not return an error.

, SQL, .

, Sql Injection , DELETE... DEL/**/ETE.

, - , SQL... SQL , , , .

OWASP:

, SQL-. , :
,
,

MySQL query bypass

More articles: