Reputation: 26107
SQL injection attack in LIKE clause
I have a file that runs a SQL query:
SELECT * FROM items WHERE name LIKE "%<String Passed to It>%"
I am trying to test for basic web security here. How can I break this query to drop the items table, without using spaces or semi-colons
Upvotes: 0
Views: 5625
Answers (1)
Reputation: 81
Try setting the value of the to be:
'\gDROP TABLE items\g--
You will need to escape that apostrophe.
Making you're query look like this:
SELECT * FROM items WHERE name LIKE '%'\gDROP TABLE items\g--%'
In mySQL \g is equivalent to a semi-colon. However, I'm not sure if spacing is required as I do not currently have a local installation of mySQL set up, and I do not know exactly what language and framework you're using to execute that query.
However, the other comments are right that using a prepared statement and parameters rather than building the SQL string in code is the way to go in trying to prevent SQL Injection attacks.
See here
Upvotes: 1
Related Questions
- How should I escape characters inside this LIKE query?
- MySQL using like to match specific string
- Using Like with strings
- SQL injection in LIKE with backslash allowed
- Escape field in LIKE query
- The SQL LIKE clause
- Why LIKE is giving error in mysql
- SQL LIKE statement not working
- Mysql like clause throwing syntax error?
- Is my code vulnerable to SQL Injection with this LIKE clause?