Why "WHERE LIKE 'A%'='A%';" search result is false for 'A'?

Question

There is a search box I've been testing using a blind sql injection technique.

When I want to get posts which include 'A', I just submit letter A in the search box. However, to get all the posts, I wanted to make the WHERE LIKE clause true.

So I post A%'='A to make the value true. I expected SELECT * FROM list WHERE title LIKE 'A%'='A%';. But it shows all the posts except the ones that include letter 'A'. Likewise, when I post A%'! =' A, I get the results that include 'A'.

I don't know why this happens.

`WHERE title LIKE 'A%'` and not `WHERE title LIKE 'A%'='A%'` — RiggsFolly, Jul 22 '19 at 23:36
I know.. But I just curious why this happens when send 'A%'='A%' query. — Jay Cho, Jul 23 '19 at 00:08
No.. I checked it before. when I test it, I receive all rows not include 'A'. — Jay Cho, Jul 23 '19 at 00:26

score 1 · Accepted Answer · answered Jul 23 '19 at 07:28

Your query obviously does not make much sense, but MySQL will make its best effort to obey your request by using autocast to make sense of it.

First it will evaluate title LIKE 'A%'. This returns a truthy/falsy value, which for MySQL is 1 or 0 (an integer).

Next, you compel MySQL to compare this integer to 'A%'. MySQL will try to comply to that request, and convert this string into a 0 for you.

So LIKE 'A%'='A%' will end up to be the same as

where (title LIKE 'A%') = 0

which is the same as

where not (title LIKE 'A%')

returning all titles that do not start with an A.

Similarly, LIKE 'A%'!='A%' will become

where (title LIKE 'A%') != 0

which is the same as

where (title LIKE 'A%')

so you get all titles that do start with an A.

Don't forget to tell the owner of that checkbox to always parametrize your inputs.

Why "WHERE LIKE 'A%'='A%';" search result is false for 'A'?

1 Answers1