Burp Suite User Forum

Create new post

why do i have to use the concatenation operator when SQL injecting ?

etherr | Last updated: May 07, 2021 08:52PM UTC

hello . i am doing the sql injection labs . i got stuck on the blind sql injection labs . i got lost when i saw this query on the solution : ''' TrackingId=xyz'||(SELECT CASE WHEN SUBSTR(password,1,1)='§a§' THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||' ''' why do we have to use this operator ? (||) i managed to get the same query parameters by myself but i used --comment in the end . why is this wrong ? i saw it again on the next lab which runs on postgresql : ''' TrackingId=xyz'||pg_sleep(10)-- ''' but this time he used comment . and yet we could have used --comment on the oracle example but it didnt work . this got me really lost . i hope u can help me with that . thank you

Uthman, PortSwigger Agent | Last updated: May 10, 2021 02:53PM UTC

Thanks for your query. Unfortunately, we are unable to provide personal support or tutoring to Academy users, as we prefer to improve the experience for our entire user base by focussing on expanding and refining our public content. Your post will stay up on the forum for a member of the community to reply. Have you taken a look at the learning materials? - https://portswigger.net/web-security/sql-injection/blind

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.