user2936672 user2936672 - 9 months ago 41
SQL Question

DVWA sql injection

I have a question about commenting out the sql query.
The sql query has that form

$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";

So i try that
1' or 1=1; #
and i get all the users and passwords as i expected but when i use
for a comment instead of
i get a syntax error. Why is that happening ?
Can you explain how is the sql formed in each case ?
Also i notice
1' or 1=1 #
works too. The # symbol doesnt comment out the ; ?

Psi Psi
Answer Source

As you can read in the mysql manual:

In MySQL, the -- (double-dash) comment style requires the second dash to be followed by at least one whitespace or control character (such as a space, tab, newline, and so on)

When adding only -- to your input... there is no whitespace or control character following. Your synthesized query would look like that:

SELECT first_name, last_name FROM users WHERE user_id = '1' or 1=1--';

As you can see, the double dash is followed immediately by a ; which leads to a syntax error as it is not considered a comment.

Try putting in -- (with a trailing whitespace) at the end

For the ;: It is not necessary in a query issued to the server. This is only to separate different statements but with a single statement not required at all.

The mysql command line client does not send that character to the server but treats it as an "execution instruction".