sql injection. What is the difference between " 'OR 1=1 #" and " ' OR 1=1 -- "?
Solution 1
TL;DR — the #
form is usable only on MySQL. The --
form is usable on any brand of SQL.
Both #
and --
are used to introduce comments. The purpose of both in an SQL injection attack is to make sure the rest of the line is ignored.
SELECT * FROM MyTable WHERE name = '$unsafe_variable' AND id = 12345
An SQL injection attack might be able to interfere with the $unsafe_variable
but the query would still be limited to the one row with a specific id
. But what if the SQL injection attack could effectively neutralize the second term?
SELECT * FROM MyTable WHERE name = '' OR 1=1 -- ' AND id = 12345
^^^^^^^^^^^^
Anything past the --
is a comment, so it will be ignored by the query. It doesn't matter that the comment contains content that looks like more SQL syntax.
The --
is the only comment syntax that is specified by standard ANSI SQL, and all SQL implementations should support this syntax.
But most if not all SQL implementations support other comment syntax, because developers are more familiar with using it. Notably the /* comment */
syntax, because it allows multi-line comments, and it's supported by many other programming languages.
Both -- comment
or /* comment */
are supported by all SQL brands I checked:
The # comment
syntax is supported only by MySQL.
The { comment }
syntax is supported only by Informix.
Solution 2
simply it is different syntax between DB engines “ OR 1=1 #” it works with mysql DB because comment there is using # but “ OR 1=1 — ” works with sql server BD becsuase comment there using -- for more details about sql injection methods samples check this link
Jay Cho
Updated on June 05, 2022Comments
-
Jay Cho almost 2 years
There are several version of sql injection method, but I don't know why there are slightly difference exactly. How can I know the difference among the environments?