SQL Injection syntax inquiry-commented injections



  • I have some programming experience, but am having trouble with SQL injection code. I don't understand why there's sometimes SQL syntax after the comment character (such as -- or #). I know that -- - and --+ are just required comments syntax, but there are injection examples with much more complex syntax after the comment characters.

    Specific example:

    $statement = "SELECT * FROM users WHERE username ='Dean' OR '1'='1'-- ' AND password = 'WinchesterS'";

    How is the syntax after the double-dashes able to be interpreted or executed in the database?

    According to the site where I found it: –(double hyphen) instructs the SQL parser that the rest of the line is a comment and should not be executed

    https://www.edureka.co/blog/sql-injection-attack

    I've been researching for quite some time but can't figure it out. Thank you



  • In short, the syntax after the -- comment marker is part of the original query. For example, if the query was run without injection but with username "Dean" and password "WinchesterS", then the query would look like this:

    SELECT * FROM users WHERE username ='Dean' AND password = 'WinchesterS';
    

    The SQL Injection in this case is:

    Dean' OR '1'='1'-- 
    

    Now, if that is entered as the username field, it extends the username into a SQL OR statement, which will always be true, thus allowing login. However, the original end to the query is still in place:

    ' AND password = 'WinchesterS';
    

    In order to avoid a syntax error, the -- comment marker is used to ignore that part of the original query.


Log in to reply
 

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2