Menu
I'm currently learning how SQL-Injections work. On many teaching-websites there are examples shown, such as
SELECT fieldlist
FROM table
WHERE field = 'x' AND email IS NULL; --';
In the field 'field' the content thats going to be checked comes from a textfield or something similar from a website. The user-input in this case is x' AND email IS NULL; --
What is the use of -- ??
I saw a few similar examples but no explanation. Am I missing something fundamental?
617
The double dash indicates that the rest of the string is interpreted as a comment. With that, the actual SQL query is just: SELECT * FROM Users WHERE username = 'admin' . This would effectively log in the attacker as the administrator user.
Definition of double hyphen : a punctuation mark ⸗ used in place of a hyphen at the end of a line to indicate that the word so divided is normally hyphenated.
The double hyphen places a single-line comment in a SQL*Plus script. The double hyphen works the same way as REMARK, except that it may be used in SQL statements and PL/SQL blocks. When used in a SQL statement or PL/SQL block, the double hyphen may be used to add trailing comments to a line.
Union-based SQL injection involves the use of the UNION operator that combines the results of multiple SELECT statements to fetch data from multiple tables as a single result set. The malicious UNION operator query can be sent to the database via website URL or user input field.
Ohh nevermind. The -- is used to out-comment the rest of the query...
178
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
