What could be the input?

Sandeep Mewara

It breaks - gives unintended result. Throws an error or 0 results. For now, assume this query returns data.

Latest CodeProject post: Quick look into Machine Learning workflow How to solve Word Ladder Problem? To read all my blog posts, visit: Learn by Insight...

David Crow

Sandeep Mewara wrote:

...or 0 results.

From the limited information provided, if the query is returning 0 results, I'd assume there are no rows in 'test' whose 'id' column has a value of 100.

Sandeep Mewara wrote:

For now, assume this query returns data.

Are you not wanting it to? Your initial post asks what would cause the query to fail. So either the query is failing and you don't want it to, or it is succeeding and you want to find a way to make it fail. Color me confused.

"One man's wage rise is another man's price increase." - Harold Wilson

"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons

"You can easily judge the character of a man by how he treats those who can do nothing for him." - James D. Miles

Nelek

mmmm.... Is that not open to sql injection? :rolleyes:

M.D.V. ;) If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about? Help me to understand what I'm saying, and I'll explain it better to you Rating helpful answers is nice, but saying thanks can be even nicer.

Lost User

Sandeep Mewara wrote:

PS: You cannot put * in the value anywhere.

Given that you did not put any restrictions on programming language or database software... what comes to my mind is bypassing that rule with a SQL trigraph[^] Trigraphs | Microsoft Docs[^]

Super Lloyd

-1; DELETE FROM test WHERE ID <> your question was poorly phrased I'd say... but I suggest the value above so that final query is SELECT * FROM test WHERE id= -1; DELETE FROM test WHERE ID <> 100

A new .NET Serializer All in one Menu-Ribbon Bar Taking over the world since 1371!

Jon McKee

Trick question? There is no input value considered:

SELECT * FROM test WHERE id= /* + INPUT + */ 100

It's all an in-line comment. If the test table has no id column you'd get an error though. Or am I misunderstanding something? :doh:

Espen Harlinn

SELECT * FROM test WHERE id= /*/*/ 100

No star needed, just /

Espen Harlinn Senior Architect - Ulriken Consulting AS The competent programmer is fully aware of the strictly limited size of his own skull; therefore he approaches the programming task in full humility, and among other things he avoids clever tricks like the plague.Edsger W.Dijkstra

Jon McKee

Just tested this with MySQL and it works fine. What db does this fail with for you?

Sandeep Mewara

Yes - intent here is to do sql inject and see how to misuse it. ;)

Latest CodeProject post: Quick look into Machine Learning workflow How to solve Word Ladder Problem? To read all my blog posts, visit: Learn by Insight...

Sandeep Mewara

Intent here is to do sql injection and see how to misuse it. :)

Latest CodeProject post: Quick look into Machine Learning workflow How to solve Word Ladder Problem? To read all my blog posts, visit: Learn by Insight...

Sandeep Mewara

Super Lloyd wrote:

your question was poorly phrased I'd say... but I suggest the value above so that final query is

Apologies if that was confusing or I was not able to convey it correctly. There is a query where something is mentioned in multiline quotes. Text in multiline quote is user driven. Can we put anything in that so that we misuse the queyr?

SELECT * FROM test WHERE id= /* + INPUT + */ 100

Latest CodeProject post: Quick look into Machine Learning workflow How to solve Word Ladder Problem? To read all my blog posts, visit: Learn by Insight...

Sandeep Mewara

Neh. Just trying to see how to misuse above sceanrio via SQL injection. Currently it is valid sql query that returns data.

Latest CodeProject post: Quick look into Machine Learning workflow How to solve Word Ladder Problem? To read all my blog posts, visit: Learn by Insight...

Sandeep Mewara

Even if this works, INPUT cannot have * in it. :)

Latest CodeProject post: Quick look into Machine Learning workflow How to solve Word Ladder Problem? To read all my blog posts, visit: Learn by Insight...

Peter_in_2780

Did you try: 1. HTML entities, like &#42 2. ASCII/Unicode in hex/octal \x2a \u002a \052 Some of those might sneak through. Just a thought from someone who knows nothing of your environment.

Software rusts. Simon Stephenson, ca 1994. So does this signature. me, 2012

Espen Harlinn

SQL Server: Msg 113, Level 15, State 1, Line 1 Missing end comment mark '*/'. Msg 113, Level 15, State 1, Line 1 Missing end comment mark '*/'. Msg 102, Level 15, State 1, Line 1 Incorrect syntax near '='.

Espen Harlinn Senior Architect - Ulriken Consulting AS The competent programmer is fully aware of the strictly limited size of his own skull; therefore he approaches the programming task in full humility, and among other things he avoids clever tricks like the plague.Edsger W.Dijkstra

Espen Harlinn

Quote:

Even if this works, INPUT cannot have * in it.

It doesn't - I just replaced " INPUT " with "/"

Espen Harlinn Senior Architect - Ulriken Consulting AS The competent programmer is fully aware of the strictly limited size of his own skull; therefore he approaches the programming task in full humility, and among other things he avoids clever tricks like the plague.Edsger W.Dijkstra

Nelek

The used * are yours, not his

M.D.V. ;) If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about? Help me to understand what I'm saying, and I'll explain it better to you Rating helpful answers is nice, but saying thanks can be even nicer.

Jorgen Andersson

Because SQL Server allows nested comment blocks. "Nested comments are supported. If the /* character pattern occurs anywhere within an existing comment, it is treated as the start of a nested comment and, therefore, requires a closing */ comment mark. If the closing comment mark does not exist, an error is generated." - SQL Server | Microsoft Docs[^]

Wrong is evil and must be defeated. - Jeff Ello

DerekT P

In MySql or MariaDB, most values of INPUT starting with an exclamation mark will cause a syntax error IF there is no space between your opening comment tag and INPUT, eg:

SELECT * FROM test WHERE id= /*! oops */ 100

However it's also possible to inject valid SQL that way:

SELECT * FROM test WHERE ID= /*!0 OR ID > 0 OR ID= */ 100

This query returning all rows in the table. See MySql ref: Comments[^] The idea is that you can then write SQL that works across DBMS, by including code that is only "seen" by MySql. You can also include query optimiser hints using a similar /*+ hint */ syntax, so you could probably break your query by starting INPUT with a plus sign as well, again only provided there's no space after the opening asterisk. And yes, this is definitely too much of a programming question to be in the Lounge! :laugh:

Forogar

I did say "might be". ;-)

- I would love to change the world, but they won’t give me the source code.