Why should we sometimes use --+ instead of â in SQL injection to comment the rest of the query?
Clash Royale CLAN TAG#URR8PPP
up vote
9
down vote
favorite
I have encountered some websites that when I used --
to comment the rest of the query it didn't work, but when I tried --+
it worked.
In the MySQL official documentation there is no such thing as --+
and we only have --
and two other ways:
https://dev.mysql.com/doc/refman/8.0/en/comments.html
Why does this happen (in detail)? I want to know exactly why this works sometimes and --
doesn't, and why there is no --+
for comments in the MySQL man page?
http sql-injection mysql
add a comment |Â
up vote
9
down vote
favorite
I have encountered some websites that when I used --
to comment the rest of the query it didn't work, but when I tried --+
it worked.
In the MySQL official documentation there is no such thing as --+
and we only have --
and two other ways:
https://dev.mysql.com/doc/refman/8.0/en/comments.html
Why does this happen (in detail)? I want to know exactly why this works sometimes and --
doesn't, and why there is no --+
for comments in the MySQL man page?
http sql-injection mysql
1
I suppose your question is more related to HTTP than to SQL...
â Your Common Sense
11 hours ago
2
@YourCommonSense i had no idea its related to HTTP and not SQL, so why this happens?
â Richard Jones
11 hours ago
You can also use # which doesn't need a space after
â paj28
10 hours ago
add a comment |Â
up vote
9
down vote
favorite
up vote
9
down vote
favorite
I have encountered some websites that when I used --
to comment the rest of the query it didn't work, but when I tried --+
it worked.
In the MySQL official documentation there is no such thing as --+
and we only have --
and two other ways:
https://dev.mysql.com/doc/refman/8.0/en/comments.html
Why does this happen (in detail)? I want to know exactly why this works sometimes and --
doesn't, and why there is no --+
for comments in the MySQL man page?
http sql-injection mysql
I have encountered some websites that when I used --
to comment the rest of the query it didn't work, but when I tried --+
it worked.
In the MySQL official documentation there is no such thing as --+
and we only have --
and two other ways:
https://dev.mysql.com/doc/refman/8.0/en/comments.html
Why does this happen (in detail)? I want to know exactly why this works sometimes and --
doesn't, and why there is no --+
for comments in the MySQL man page?
http sql-injection mysql
http sql-injection mysql
edited 18 mins ago
Boann
1795
1795
asked 11 hours ago
Richard Jones
543
543
1
I suppose your question is more related to HTTP than to SQL...
â Your Common Sense
11 hours ago
2
@YourCommonSense i had no idea its related to HTTP and not SQL, so why this happens?
â Richard Jones
11 hours ago
You can also use # which doesn't need a space after
â paj28
10 hours ago
add a comment |Â
1
I suppose your question is more related to HTTP than to SQL...
â Your Common Sense
11 hours ago
2
@YourCommonSense i had no idea its related to HTTP and not SQL, so why this happens?
â Richard Jones
11 hours ago
You can also use # which doesn't need a space after
â paj28
10 hours ago
1
1
I suppose your question is more related to HTTP than to SQL...
â Your Common Sense
11 hours ago
I suppose your question is more related to HTTP than to SQL...
â Your Common Sense
11 hours ago
2
2
@YourCommonSense i had no idea its related to HTTP and not SQL, so why this happens?
â Richard Jones
11 hours ago
@YourCommonSense i had no idea its related to HTTP and not SQL, so why this happens?
â Richard Jones
11 hours ago
You can also use # which doesn't need a space after
â paj28
10 hours ago
You can also use # which doesn't need a space after
â paj28
10 hours ago
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
23
down vote
From the documentation:
From a -- sequence to the end of the line. In MySQL, the -- (double-dash) comment style requires the second dash to be followed by at least one whitespace or control character (such as a space, tab, newline, and so on). This syntax differs slightly from standard SQL comment syntax, as discussed in Section 1.8.2.4, âÂÂ'--' as the Start of a CommentâÂÂ.
(emphasis mine)
Many URL decoders treat +
as a space.
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
23
down vote
From the documentation:
From a -- sequence to the end of the line. In MySQL, the -- (double-dash) comment style requires the second dash to be followed by at least one whitespace or control character (such as a space, tab, newline, and so on). This syntax differs slightly from standard SQL comment syntax, as discussed in Section 1.8.2.4, âÂÂ'--' as the Start of a CommentâÂÂ.
(emphasis mine)
Many URL decoders treat +
as a space.
add a comment |Â
up vote
23
down vote
From the documentation:
From a -- sequence to the end of the line. In MySQL, the -- (double-dash) comment style requires the second dash to be followed by at least one whitespace or control character (such as a space, tab, newline, and so on). This syntax differs slightly from standard SQL comment syntax, as discussed in Section 1.8.2.4, âÂÂ'--' as the Start of a CommentâÂÂ.
(emphasis mine)
Many URL decoders treat +
as a space.
add a comment |Â
up vote
23
down vote
up vote
23
down vote
From the documentation:
From a -- sequence to the end of the line. In MySQL, the -- (double-dash) comment style requires the second dash to be followed by at least one whitespace or control character (such as a space, tab, newline, and so on). This syntax differs slightly from standard SQL comment syntax, as discussed in Section 1.8.2.4, âÂÂ'--' as the Start of a CommentâÂÂ.
(emphasis mine)
Many URL decoders treat +
as a space.
From the documentation:
From a -- sequence to the end of the line. In MySQL, the -- (double-dash) comment style requires the second dash to be followed by at least one whitespace or control character (such as a space, tab, newline, and so on). This syntax differs slightly from standard SQL comment syntax, as discussed in Section 1.8.2.4, âÂÂ'--' as the Start of a CommentâÂÂ.
(emphasis mine)
Many URL decoders treat +
as a space.
answered 10 hours ago
AndrolGenhald
7,69441427
7,69441427
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f196169%2fwhy-should-we-sometimes-use-instead-of-in-sql-injection-to-comment-the-re%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
1
I suppose your question is more related to HTTP than to SQL...
â Your Common Sense
11 hours ago
2
@YourCommonSense i had no idea its related to HTTP and not SQL, so why this happens?
â Richard Jones
11 hours ago
You can also use # which doesn't need a space after
â paj28
10 hours ago