How to pull multiple records using SQL statement?

Question

Thanks in advance for your help.

I'm working with an application that a user developed. It prompts you for something to search for and then performs a basic query:

SELECT * FROM Table
WHERE Entry=[ENTRY];

I cannot change that format. All I can do is modify the text of [ENTRY]. Is there a way I can pull multiple records without modifying the structure of the statement itself? For Example:

SELECT * FROM Table
WHERE Entry='COW | APPL* | ROO*';

to acheive the results:

COW, APPLE, APPLES, ROOF, ROOM, ROOSTER;

Please excuse the rudimentary example - Thanks,

Blake

Answer 1

This totally depends on the code. If there is possibility than you can use Sql injection method to request multiple records.

SELECT * FROM Table
WHERE Entry='COW' OR Entry ='APPL' OR Entry = 'ROO';

Following this example your variable [ENTRY] should be this:

[ENTRY] = "'COW' OR Entry ='APPL' OR Entry = 'ROO'";

Note, that this will not work, if your [ENTRY] variable is protected against sql injection.

EDIT: So here is an sql injection method not knowing the table name: this should be your string to copy in:

COW' OR 1 = '1

Answer 2

If the developer didn't prevent sql injection, you can try add ; and create a new query.

If you can change = to IN.