hacking:sql_injection:mysql:string_operations
This is an old revision of the document!
Hacking - SQL Injection - MySQL - String Operations
String related operations can be quite useful to build up injections which are not using any quotes, bypass any other black listing or determine back end database.
String Concatenation
|| SELECT login || '-' || password FROM members
NOTE: About MySQL “||”
If MySQL is running in ANSI mode it's going to work but otherwise MySQL accepts it as a `logical operator` and will return 0.
A better way to do it is using CONCAT() function in MySQL:
CONCAT(str1, str2, str3, ...) (M) /* Concatenate supplied strings. */ SELECT CONCAT(login, password) FROM members
hacking/sql_injection/mysql/string_operations.1587074651.txt.gz · Last modified: 2020/07/15 09:30 (external edit)