All geek questions in one place

Selecting everything in a table ... with a where clause

I have an interesting situation when I try to select everything in the sql server table, but I only need to access the table through the old company API instead of SQL. This API queries the table name, field name, and value. Then it connects to it quite simply:

select * from [TABLE_NAME_VAR] where [FIELD_NAME_VAR] = 'VALUE_VAR';

I can’t change the = sign to! = Or anything else, only those vars. I know this sounds awful, but I can't change the API without going through a lot of hoops, and that's all I have to work with.

There are several columns in this table that represent all numbers, all rows and are not null. Is there a value that I can pass to this API function that will return everything to the table? Perhaps a constant or special value that means its number is not a number, it is a string, * it is not empty, etc.? Any ideas?

+4
source share
4 answers

You can try passing this VALUE_VAR

 1'' or ''''=''

If it is used as-is and executed as Dynamic SQL, this should result in

 SELECT * FROM tab WHERE fieldname = '1' or ''=''
+2
source

No, this is not possible if the API is built correctly.

If this is some kind of household thing, this may not be so. You can try entering YourTable]-- as a value for TABLE_NAME_VAR , so that when connected to the query, it ends as

 select * from [YourTable]--] where [FIELD_NAME_VAR] = 'VALUE_VAR';

If ] either rejected or properly shielded (if doubled), this will not work.

+5
source

here is a simple example hope this can help

 declare @a varchar(max) set @a=' ''1'' or 1=1 ' declare @b varchar(max) set @b=('select * from [TABLE_NAME_VAR] where [FIELD_NAME_VAR]=' +@a ) exec(@b)
+2
source

If your API allows you to use a column name instead of a constant,

 select * from [TABLE_NAME_VAR] where [FIELD_NAME_VAR] = [FIELD_NAME_VAR] ;
+2
source

Source: https://habr.com/ru/post/1497632/

More articles:


All Articles