How to pull multiple records using SQL statement?

Question

Thanks in advance for your help.

I'm working with an application that a user developed. It prompts you for something to search for and then performs a basic query:

SELECT * FROM Table
WHERE Entry=[ENTRY];

I cannot change that format. All I can do is modify the text of [ENTRY]. Is there a way I can pull multiple records without modifying the structure of the statement itself? For Example:

SELECT * FROM Table
WHERE Entry='COW | APPL* | ROO*';

to acheive the results:

COW, APPLE, APPLES, ROOF, ROOM, ROOSTER;

Please excuse the rudimentary example - Thanks,

Blake

Answer 1

This totally depends on the code. If there is possibility than you can use Sql injection method to request multiple records.

SELECT * FROM Table
WHERE Entry='COW' OR Entry ='APPL' OR Entry = 'ROO';

Following this example your variable [ENTRY] should be this:

[ENTRY] = "'COW' OR Entry ='APPL' OR Entry = 'ROO'";

Note, that this will not work, if your [ENTRY] variable is protected against sql injection.

EDIT: So here is an sql injection method not knowing the table name: this should be your string to copy in:

COW' OR 1 = '1

Answer 2

Figured it out.. now my problem is that I don't know what the user called the column in question lol.

If I knew what "Entry" was I would do:

[Entry] = COW' OR WHERE Entry='APPL*' OR WHERE Entry='ROO*

so that the final SQL statement reads:

SELECT * FROM Table
WHERE Entry='COW' OR WHERE Entry='APPL*' OR WHERE Entry='ROO*';

giving me what I was looking for.

Answer 3

Provided SQL injection is allowed, you can input an SQL query in the user input field as follows:

COW' OR Entry = 'APPL%' OR Entry = 'ROO%

This should make the SQL statement look like:

SELECT * 
FROM Table 
WHERE Entry='COW' OR Entry = 'APPL%' OR Entry = 'ROO%';

Answer 4

If the developer didn't prevent sql injection, you can try add ; and create a new query.

If you can change = to IN.