Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p><a href="http://books.google.com/books?id=YJKbVzeabJYC&amp;pg=PA268&amp;lpg=PA268&amp;dq=%22In%20MySQL,%20comments%20can%20even%20be%20inserted%20within%20keywords%20themselves%22&amp;source=bl&amp;ots=uLs_sZ32ny&amp;sig=nkQslgFoZFRehvx17pX2AC0NT5Y&amp;hl=en&amp;sa=X&amp;ei=lOBMUbfZBsXbiwLL3oC4CA&amp;ved=0CDAQ6AEwAA#v=onepage&amp;q=%22In%20MySQL,%20comments%20can%20even%20be%20inserted%20within%20keywords%20themselves%22&amp;f=false" rel="nofollow">That quote is from a book from 2007</a>... it may have been true for earlier versions of MySql, but I can't find a MySQL version where that syntax doesn't return an error. </p> <p>The original idea behind this syntax would be that if the application was trying to <em>blacklist</em> certain SQL keywords, then this attack would fool the application.</p> <p>For example... if the application was trying to prevent an attacker from using Sql Injection to delete records from the database, a blacklist of terms to disallow would filter out <code>DELETE</code>... but fail to filter out <code>DEL/**/ETE</code>.</p> <p>However, trying to create a blacklist of terms to disallow in your dynamic queries is a <strong>terrible, ineffective</strong> approach to preventing SQL injection... and there are much easier and effective means of preventing SQL injection attacks, such as parameterized queries, that would render the embedded comment syntax useless even if it were still valid.</p> <p><a href="https://www.owasp.org/index.php/SQL_Injection" rel="nofollow">From OWASP</a>:</p> <blockquote> <p>As is almost always the case, blacklisting is riddled with loopholes that make it ineffective at preventing SQL injection attacks. For example, attackers can:</p> <ul> <li>Target fields that are not quoted</li> <li>Find ways to bypass the need for certain escaped meta-characters</li> <li>Use stored procedures to hide the injected meta-characters</li> </ul> </blockquote>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload