What is the smallest possible character sequence for SQL injection attacks?

Question

What is the smallest possible character sequence for SQL injection attacks?

Simple SQL injection attack with as few characters as possible. Please note: I am not trying to prevent SQL injection attacks by limiting data entry to a specific size, but I am really curious how many characters are required to perform even the simplest attack.

For posterity, let's say the smallest table name is 4 characters, for example, "user". Please rate this.

+6

sql code-injection

coderintherye Nov 23 '10 at 1:55

source share

3 answers

When entering into a string literal:

 ';drop database;--

+6

SLaks Nov 23 '10 at 2:03

source share

Suppose the request was generated as follows

 "Select * from user where userid = " + myVar 1; delete from user;

0

John hartsock Nov 23 '10 at 2:00

source share

david · Accepted Answer · 2010-11-23T02:06:09+0000

1 Character is the smallest unit you control over. The question is highly dependent on what you are doing. For example, if you are dealing with an interface for deleting your profile from the site, and you send '%' instead of your name:

"Delete from Users where name like '"+username+"'"

then setting your username to % will delete all users.

What is the smallest possible character sequence for SQL injection attacks?

More articles: