Jump to content

[SQLi] impact of: character' /*


Recommended Posts

Posted

Hello,

I would like to know the impact of the injection : string' /*

For example in such a query :

"select username,pass from users where username='$uname' and password='$passwrd' limit 0,1"

"select username,pass from users where username='admin' /*' and password='$passwrd' limit 0,1"

So we only look for the user admin, then we extent que quey by adding ' and finaly /* will bypass the end of the query ?

Posted

/* is the start of a comment so it will comment out the rest of the query.

It will work in MySQL, Oracle and MSSQL as far as I know

http://dev.mysql.com/doc/refman/5.7/en/comments.html

https://technet.microsoft.com/en-us/library/ms188621(v=sql.105).aspx

 

In your example, only this should get executed by the server:

select username,pass from users where username='admin' 

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...