Menu
In MySQL, comments can be inserted within keywords themselves, which provides another means of bypassing some input validation filters while preserving the syntax of the actual query. For example:
SEL/*foo*/ECT username,password FR/*foo*/OM users
But how is it possible to comment out things between preserved words? what's the advantage? And why it's a kind of bypassing?
It seems buggy!
545
SQL injection is a technique used to exploit user data through web page inputs by injecting SQL commands as statements. Basically, these statements can be used to manipulate the application's web server by malicious users.
In this example we will demonstrate a technique to bypass the authentication of a vulnerable login page using SQL injection.
The only sure way to prevent SQL Injection attacks is input validation and parametrized queries including prepared statements. The application code should never use the input directly. The developer must sanitize all input, not only web form inputs such as login forms.
Blind SQL (Structured Query Language) injection is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response.
That quote is from a book from 2007... it may have been true for earlier versions of MySql, but I can't find a MySQL version where that syntax doesn't return an error.
The original idea behind this syntax would be that if the application was trying to blacklist certain SQL keywords, then this attack would fool the application.
For example... if the application was trying to prevent an attacker from using Sql Injection to delete records from the database, a blacklist of terms to disallow would filter out DELETE... but fail to filter out DEL/**/ETE.
However, trying to create a blacklist of terms to disallow in your dynamic queries is a terrible, ineffective approach to preventing SQL injection... and there are much easier and effective means of preventing SQL injection attacks, such as parameterized queries, that would render the embedded comment syntax useless even if it were still valid.
From OWASP:
As is almost always the case, blacklisting is riddled with loopholes that make it ineffective at preventing SQL injection attacks. For example, attackers can:
- Target fields that are not quoted
- Find ways to bypass the need for certain escaped meta-characters
- Use stored procedures to hide the injected meta-characters
165
Thanks for Michael Fredrickson perfect answer.
check out the mysql site and you see this way of commenting mentioned in all version of mysql.
In my version (5.5.24) if you write a query like this below:
sele/*ops*/ct name from tableName
You will get this error:
You have an error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near 'sele/*ops*/ct name from
tableName' at line 1
But if you change it to this:
select na/*ops*/me from tableName
You will get this:
Unknown column 'na' in 'field list'
I think it comments the rest of field name. but if you write the query like this, it works without any problem:
select name/*ops*/ from tableName
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
