SQL/GUI Lookup query

Splinter · 02-09-2014 4:14pm #1

Hi All,

bit of an unusual one. I have an application here locally where i have admin access to the DB but no access to change the DB that i'm aware of. In the gui we have a search box that looks like it should act as an exact search like the below:
SELECT
[TITLE]
FROM
[TIPS]
WHERE
[TITLE] = 'something'

but its actually working like

SELECT
[TITLE]
FROM
[TIPS]
WHERE
[TITLE] LIKE '%something%' ;

the user only has access to dictate the lookup table and the actual text they want to search for. But not whether or not its a wildcard or exact. Any idea if its possible to put an escape character inside the search text? My gut feeling is no, but just thought i'd ask.

The sql is running on MS SQL Express 2008

cheers
Splinter

BrokenArrows · 02-09-2014 4:27pm

depending on how dodgy the background code is entering this might work.

%' AND 'mysearchterm

So that will give a search for [TITLE] LIKE '%%' AND 'mysearchterm%' ;

Its not 100% exact but it is a begins with style search.

Splinter · 02-09-2014 4:31pm

so it would become

SELECT
[TITLE]
FROM
[TIPS]
WHERE
[TITLE] LIKE '%''something%' ;

?

just trying that and no luck

neil_hosey · 02-09-2014 4:31pm

most definately dodgy.

Splinter · 02-09-2014 4:34pm

no luck with search for ' AND 'selection either i'm afraid

shrewd · 02-09-2014 4:39pm

What is the objective here?

what are trying to escape?

BrokenArrows · 02-09-2014 4:42pm

Splinter wrote: »

no luck with search for ' AND 'selection either i'm afraid

well then it looks like back background code is done properly so you are out of luck.

Aswerty · 02-09-2014 4:50pm

You have admin access to the DB but don't have the access to change the DB? This sounds like a contradiction.

Also can you specify if the SQL query is baked into the GUI based application, which I assume runs on a users machine, or wheter it is a stored procedure.

Finally, performing SQL injection on your own system to modify an SQL query is just insane.

Splinter · 02-09-2014 4:58pm

I personally have db admin access but i don't know if i have access to change the query. I amn't responsible for the build of the application so alot of it is me trying to figure it out from what is labelled correctly. Is it possible to find the query or is that held inside the application side of it? My knowledge of where queries are built/run from is limited i'm afraid

thanks

Aswerty · 02-09-2014 5:14pm

If you have DB admin access you should have sufficient access to make changes to the database. The issue is that you don't actually seem to know where the query is stored. If it is a stored procedure then it is stored in the DB and you should be able to modify it yourself. You would best do this by accessing the SQL server with a managment client (e.g. SQL Server Management Studio, MySQL Workbench).

N.B. Messing around with a database when you don't know what you are doing is a recipe for disaster!

If it is part of the GUI application itself then there is a very good chance that the only way to modify it is to modify the applications source code and rebuild it. If this is the case I think getting a hold of someone who is responsible for the development of the application is a must.

If this is a critical/live system that you are looking at modifying I'd think twice about making any changes before you have a lot more knowledge of the systems in place.

Aztech · 03-09-2014 8:52am

It looks like the code is written well enough to stop SQL injection. So amending how this works would only seem to be possible if it happens to be executing in a stored procedure.

You could run SQL Express Profiler (aka ExpressProfiler, I can't post links but a quick search will find it) to see what's executing the query on the database. If it's an SP it will be easy to make the change you need. If it is not, you are going to need changes to the code.

SQL/GUI Lookup query

Comments