SQLi and Implicit type conversion in MySQL

11 Apr 2013





This was inspired by vagosec.org article on MySQL Implicit Type Conversion. I enumerated all the different operators to see how MySQL does type conversions. The results are surprising in many cases.



String Operator Different String












































SELECT "A" AND "B" = "C"False
SELECT "A" && "B" = "C"False
SELECT "A" = "B" = "C"True
SELECT "A" := "B" = "C"Error
SELECT "A" BINARY "B" = "C"Error
SELECT "A" & "B" = "C"True
SELECT "A" ~ "B" = "C"Error
SELECT "A" | "B" = "C"True
SELECT "A" ^ "B" = "C"True
SELECT "A" CASE "B" = "C"Error
SELECT "A" DIV "B" = "C"False
SELECT "A" / "B" = "C"False
SELECT "A" <=> "B" = "C"True
SELECT "A" >= "B" = "C"True
SELECT "A" > "B" = "C"True
SELECT "A" IS NOT NULL "B" = "C"Error
SELECT "A" IS NOT "B" = "C"Error
SELECT "A" IS NULL "B" = "C"Error
SELECT "A" IS "B" = "C"Error
SELECT "A" << "B" = "C"True
SELECT "A" <= "B" = "C"False
SELECT "A" < "B" = "C"False
SELECT "A" LIKE "B" = "C"True
SELECT "A" - "B" = "C"True
SELECT "A" % "B" = "C"False
SELECT "A" MOD "B" = "C"False
SELECT "A" != "B" = "C"False
SELECT "A" <> "B" = "C"False
SELECT "A" NOT LIKE "B" = "C"False
SELECT "A" NOT REGEXP "B" = "C"False
SELECT "A" NOT "B" = "C"Error
SELECT "A" ! "B" = "C"Error
SELECT "A" !! "B" = "C"Error
SELECT "A" OR "B" = "C"False
SELECT "A" + "B" = "C"True
SELECT "A" REGEXP "B" = "C"True
SELECT "A" >> "B" = "C"True
SELECT "A" RLIKE "B" = "C"True
SELECT "A" SOUNDS LIKE "B" = "C"True
SELECT "A" * "B" = "C"True
SELECT "A" XOR "B" = "C"False


String Operator Same String
















SELECT "A" & "A" = "C"True
SELECT "A" | "A" = "C"True
SELECT "A" ^ "A" = "C"True
SELECT "A" > "A" = "C"True
SELECT "A" << "A" = "C"True
SELECT "A" < "A" = "C"True
SELECT "A" - "A" = "C"True
SELECT "A" != "A" = "C"True
SELECT "A" <> "A" = "C"True
SELECT "A" NOT LIKE "A" = "C"True
SELECT "A" NOT REGEXP "A" = "C"True
SELECT "A" NOT RLIKE "A" = "C"True
SELECT "A" + "A" = "C"True
SELECT "A" >> "A" = "C"True
SELECT "A" * "A" = "C"True


String Operator String-That-Starts-With-A-Number

Note: the example used "1" but "9foobar" or "1.foobar" or ".1foobar" or "-9foobar" or "+.4foobar" will work too.



















SELECT "A" = "1" = "C"True
SELECT "A" & "1" = "C"True
SELECT "A" DIV "1" = "C"True
SELECT "A" / "1" = "C"True
SELECT "A" <=> "1" = "C"True
SELECT "A" << "1" = "C"True
SELECT "A" <= "1" = "C"True
SELECT "A" < "1" = "C"True
SELECT "A" LIKE "1" = "C"True
SELECT "A" % "1" = "C"True
SELECT "A" MOD "1" = "C"True
SELECT "A" REGEXP "1" = "C"True
SELECT "A" >> "1" = "C"True
SELECT "A" RLIKE "1" = "C"True
SELECT "A" SOUNDS LIKE "1" = "C"True
SELECT "A" * "1" = "C"True


String Operator String, Both Strings are Numeric, Not Zero















SELECT "123A" = "-3A" = "C"True
SELECT "123A" <=> "-3A" = "C"True
SELECT "123A" << "-3A" = "C"True
SELECT "123A" <= "-3A" = "C"True
SELECT "123A" < "-3A" = "C"True
SELECT "123A" LIKE "-3A" = "C"True
SELECT "123A" % "-3A" = "C"True
SELECT "123A" MOD "-3A" = "C"True
SELECT "123A" OR "-3A" = "C"True
SELECT "123A" || "-3A" = "C"True
SELECT "123A" REGEXP "-3A" = "C"True
SELECT "123A" >> "-3A" = "C"True
SELECT "123A" RLIKE "-3A" = "C"True
SELECT "123A" XOR "-3A" = "C"True


Single Empty String















SELECT "A" = "" = "C"True
SELECT "A" & "" = "C"True
SELECT "A" | "" = "C"True
SELECT "A" ^ "" = "C"True
SELECT "A" <=> "" = "C"True
SELECT "A" << "" = "C"True
SELECT "A" <= "" = "C"True
SELECT "A" < "" = "C"True
SELECT "A" LIKE "" = "C"True
SELECT "A" - "" = "C"True
SELECT "A" + "" = "C"True
SELECT "A" >> "" = "C"True
SELECT "A" SOUNDS LIKE "" = "C"True
SELECT "A" * "" = "C"True


Double Empty String
















SELECT "" & "" = "C"True
SELECT "" | "" = "C"True
SELECT "" ^ "" = "C"True
SELECT "" > "" = "C"True
SELECT "" << "" = "C"True
SELECT "" < "" = "C"True
SELECT "" - "" = "C"True
SELECT "" != "" = "C"True
SELECT "" <> "" = "C"True
SELECT "" NOT LIKE "" = "C"True
SELECT "" + "" = "C"True
SELECT "" >> "" = "C"True
SELECT "" * "" = "C"True