1

I know this might sound strange and I can certainly work around my problem. I am using SQL on server side code and a statement is similar to the following:

SELECT myCol FROM mytable WHERE myCol2=url_parameter

url_parameter is a string passed through the URL. Is there any way to set url_parameter to something but still get all facts in the table?

aless80
  • 3,122
  • 3
  • 34
  • 53
  • What brand of SQL? – Kent Weigel Nov 18 '16 at 21:48
  • If you have the capacity to hack it there are sql injection tricks where you could do something like url_parameter = `whatever' or 1=1`. HACK being the operative word. If that does work, you have MUCH bigger concerns however. – RThomas Nov 18 '16 at 21:51

2 Answers2

1

There shouldn't be; if there is, then the server side is written in a way that would allow SQL injection attacks, which is likely a bigger problem than the one you want to solve.

If you are able to modify the server side code, then you could have it respond to some parameter value or combination of parameter values by running a variation of the query that doesn't have the WHERE condition. Or there are other options... but you already said you can work around it, so I assume you have one of those ideas in mind.

Mark Adelsberger
  • 42,148
  • 4
  • 35
  • 52
  • Thanks, I could have used Gordon's solution by passing nothing but it would be ugly and, according to you, vulnerable. I just created another class for when I need the query without WHERE because I could make the query dynamic. – aless80 Nov 20 '16 at 23:56
1

The normal way to handle this is by having a query that looks like:

SELECT myCol
FROM mytable
WHERE myCol2 = url_parameter OR url_parameter IS NULL;  -- or url_parameter = '';

If you were munging the SQL string instead of passing a parameter, you could insert the value myCol2 (without quotes) when you want to get all values. However, you should be using parameters.

Gordon Linoff
  • 1,242,037
  • 58
  • 646
  • 786