mailing list archives
Re: SQL Injection ORDER BY plus DROP TABLE?
From: Pranay Kanwar <warl0ck () metaeye org>
Date: Wed, 15 Aug 2007 17:15:23 +0530
Separate the queries with a ;, i.e. ORDER BY 1; DROP TABLE A.
Don't know which database you are trying this on, but mysql
does not allow a straight query like ORDER BY 1 DROP TABLE A.
warl0ck // MSG
wonderfulandromeda () gmail com wrote:
I remember, long back I tried SQL injection like this.
ORDER BY 1--
It worked. This proves that there was a select query towards the left of the injection point. This also worked
ORDER BY 1 DROP TABLE A
It spewed an output like it can not drop table A because it doesn't exist. I am wondering what kinda SQL query would
that be which has a select query and accomodates DROP along with ORDER BY 1.
AFAIK, DROP should be a separate statement and it should cause a syntax error if combined with SELECT. Any