Why should we sometimes use --+ instead of — in SQL injection to comment the rest of the query?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
9
down vote

favorite












I have encountered some websites that when I used -- to comment the rest of the query it didn't work, but when I tried --+ it worked.



In the MySQL official documentation there is no such thing as --+ and we only have -- and two other ways:



https://dev.mysql.com/doc/refman/8.0/en/comments.html



Why does this happen (in detail)? I want to know exactly why this works sometimes and -- doesn't, and why there is no --+ for comments in the MySQL man page?










share|improve this question



















  • 1




    I suppose your question is more related to HTTP than to SQL...
    – Your Common Sense
    11 hours ago






  • 2




    @YourCommonSense i had no idea its related to HTTP and not SQL, so why this happens?
    – Richard Jones
    11 hours ago










  • You can also use # which doesn't need a space after
    – paj28
    10 hours ago














up vote
9
down vote

favorite












I have encountered some websites that when I used -- to comment the rest of the query it didn't work, but when I tried --+ it worked.



In the MySQL official documentation there is no such thing as --+ and we only have -- and two other ways:



https://dev.mysql.com/doc/refman/8.0/en/comments.html



Why does this happen (in detail)? I want to know exactly why this works sometimes and -- doesn't, and why there is no --+ for comments in the MySQL man page?










share|improve this question



















  • 1




    I suppose your question is more related to HTTP than to SQL...
    – Your Common Sense
    11 hours ago






  • 2




    @YourCommonSense i had no idea its related to HTTP and not SQL, so why this happens?
    – Richard Jones
    11 hours ago










  • You can also use # which doesn't need a space after
    – paj28
    10 hours ago












up vote
9
down vote

favorite









up vote
9
down vote

favorite











I have encountered some websites that when I used -- to comment the rest of the query it didn't work, but when I tried --+ it worked.



In the MySQL official documentation there is no such thing as --+ and we only have -- and two other ways:



https://dev.mysql.com/doc/refman/8.0/en/comments.html



Why does this happen (in detail)? I want to know exactly why this works sometimes and -- doesn't, and why there is no --+ for comments in the MySQL man page?










share|improve this question















I have encountered some websites that when I used -- to comment the rest of the query it didn't work, but when I tried --+ it worked.



In the MySQL official documentation there is no such thing as --+ and we only have -- and two other ways:



https://dev.mysql.com/doc/refman/8.0/en/comments.html



Why does this happen (in detail)? I want to know exactly why this works sometimes and -- doesn't, and why there is no --+ for comments in the MySQL man page?







http sql-injection mysql






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 18 mins ago









Boann

1795




1795










asked 11 hours ago









Richard Jones

543




543







  • 1




    I suppose your question is more related to HTTP than to SQL...
    – Your Common Sense
    11 hours ago






  • 2




    @YourCommonSense i had no idea its related to HTTP and not SQL, so why this happens?
    – Richard Jones
    11 hours ago










  • You can also use # which doesn't need a space after
    – paj28
    10 hours ago












  • 1




    I suppose your question is more related to HTTP than to SQL...
    – Your Common Sense
    11 hours ago






  • 2




    @YourCommonSense i had no idea its related to HTTP and not SQL, so why this happens?
    – Richard Jones
    11 hours ago










  • You can also use # which doesn't need a space after
    – paj28
    10 hours ago







1




1




I suppose your question is more related to HTTP than to SQL...
– Your Common Sense
11 hours ago




I suppose your question is more related to HTTP than to SQL...
– Your Common Sense
11 hours ago




2




2




@YourCommonSense i had no idea its related to HTTP and not SQL, so why this happens?
– Richard Jones
11 hours ago




@YourCommonSense i had no idea its related to HTTP and not SQL, so why this happens?
– Richard Jones
11 hours ago












You can also use # which doesn't need a space after
– paj28
10 hours ago




You can also use # which doesn't need a space after
– paj28
10 hours ago










1 Answer
1






active

oldest

votes

















up vote
23
down vote













From the documentation:




From a -- sequence to the end of the line. In MySQL, the -- (double-dash) comment style requires the second dash to be followed by at least one whitespace or control character (such as a space, tab, newline, and so on). This syntax differs slightly from standard SQL comment syntax, as discussed in Section 1.8.2.4, “'--' as the Start of a Comment”.




(emphasis mine)



Many URL decoders treat + as a space.






share|improve this answer




















    Your Answer







    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "162"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: false,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













     

    draft saved


    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f196169%2fwhy-should-we-sometimes-use-instead-of-in-sql-injection-to-comment-the-re%23new-answer', 'question_page');

    );

    Post as a guest






























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    23
    down vote













    From the documentation:




    From a -- sequence to the end of the line. In MySQL, the -- (double-dash) comment style requires the second dash to be followed by at least one whitespace or control character (such as a space, tab, newline, and so on). This syntax differs slightly from standard SQL comment syntax, as discussed in Section 1.8.2.4, “'--' as the Start of a Comment”.




    (emphasis mine)



    Many URL decoders treat + as a space.






    share|improve this answer
























      up vote
      23
      down vote













      From the documentation:




      From a -- sequence to the end of the line. In MySQL, the -- (double-dash) comment style requires the second dash to be followed by at least one whitespace or control character (such as a space, tab, newline, and so on). This syntax differs slightly from standard SQL comment syntax, as discussed in Section 1.8.2.4, “'--' as the Start of a Comment”.




      (emphasis mine)



      Many URL decoders treat + as a space.






      share|improve this answer






















        up vote
        23
        down vote










        up vote
        23
        down vote









        From the documentation:




        From a -- sequence to the end of the line. In MySQL, the -- (double-dash) comment style requires the second dash to be followed by at least one whitespace or control character (such as a space, tab, newline, and so on). This syntax differs slightly from standard SQL comment syntax, as discussed in Section 1.8.2.4, “'--' as the Start of a Comment”.




        (emphasis mine)



        Many URL decoders treat + as a space.






        share|improve this answer












        From the documentation:




        From a -- sequence to the end of the line. In MySQL, the -- (double-dash) comment style requires the second dash to be followed by at least one whitespace or control character (such as a space, tab, newline, and so on). This syntax differs slightly from standard SQL comment syntax, as discussed in Section 1.8.2.4, “'--' as the Start of a Comment”.




        (emphasis mine)



        Many URL decoders treat + as a space.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered 10 hours ago









        AndrolGenhald

        7,69441427




        7,69441427



























             

            draft saved


            draft discarded















































             


            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f196169%2fwhy-should-we-sometimes-use-instead-of-in-sql-injection-to-comment-the-re%23new-answer', 'question_page');

            );

            Post as a guest













































































            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?