Is it possible to SQL inject a single query that ends with DESC or

Question

0

Asked: June 10, 20262026-06-10T07:47:46+00:00 2026-06-10T07:47:46+00:00

Is it possible to SQL inject a single query that ends with DESC or

0

Is it possible to SQL inject a single query that ends with DESC or ASC where those values or pulled from a variable?

SELECT * FROM [master].[dbo].[spt_values] ORDER BY low asc

Attempts to add a semicolon and a new statement will not work as the statement is loaded directly into a record set.

We have tried semi colon new statement
and
union
etc.

Is there any way to join a dataset into the first one without nesting as the first one isn’t nested?

Edit:
The semicolon new command won’t work as it all comes back as a record set. It just throws all sorts of errors with a new command. It is being fixed currently. Just trying to show upper management that these things are not good practice.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-10T07:47:48+00:00

Editorial Team

2026-06-10T07:47:48+00:00Added an answer on June 10, 2026 at 7:47 am

Yes this is possible. Why don’t you validate the untrusted(!) input string?

Assert.IsTrue(str == "asc" || str == "desc");

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Is it possible to SQL inject a single query that ends with DESC or

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply