Jump to content

[SQLi] impact of: character' /*


pierre

Recommended Posts

Hello,

I would like to know the impact of the injection : string' /*

For example in such a query :

"select username,pass from users where username='$uname' and password='$passwrd' limit 0,1"

"select username,pass from users where username='admin' /*' and password='$passwrd' limit 0,1"

So we only look for the user admin, then we extent que quey by adding ' and finaly /* will bypass the end of the query ?

Link to comment
Share on other sites

/* is the start of a comment so it will comment out the rest of the query.

It will work in MySQL, Oracle and MSSQL as far as I know

http://dev.mysql.com/doc/refman/5.7/en/comments.html

https://technet.microsoft.com/en-us/library/ms188621(v=sql.105).aspx

 

In your example, only this should get executed by the server:

select username,pass from users where username='admin' 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...