Home/ Questions/Q 9150083
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-17T11:33:55+00:00

There is an article about SQL injection: Abusing MySQL string arithmetic for tiny SQL

  • 0

There is an article about SQL injection: Abusing MySQL string arithmetic for tiny SQL injections

The question is, what is the meaning of select ''-'' ? I try it with MySQL, and it returns:

mysql> select ''-'';
+-------+
| ''-'' |
+-------+
|     0 |
+-------+
1 row in set (0.00 sec)

What happend? What means that 0?

And the result of select '-':

mysql> select '-';
+---+
| - |
+---+
| - |
+---+
1 row in set (0.00 sec)

I am very confused about these result.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You are minus - from one empty string '' to other:

    See following: 

    mysql> select '';
+--+
|  |
+--+
|  |
+--+
1 row in set (0.00 sec)  

mysql> select '3'-'2';
+---------+
| '3'-'2' |
+---------+
|       1 |
+---------+
1 row in set (0.00 sec)

    But warning if its not a number string: 

    mysql> select 'a'-'b';
+---------+
| 'a'-'b' |
+---------+
|       0 |
+---------+
1 row in set, 2 warnings (0.00 sec)

    Two warnings: 

    mysql> SHOW WARNINGS LIMIT 2
    -> ;
+---------+------+---------------------------------------+
| Level   | Code | Message                               |
+---------+------+---------------------------------------+
| Warning | 1292 | Truncated incorrect DOUBLE value: 'a' |
| Warning | 1292 | Truncated incorrect DOUBLE value: 'b' |
+---------+------+---------------------------------------+
2 rows in set (0.00 sec)

    Why no warning for empty string?

    Where as there is no warning for empty string because its(casted something) 0 see below: 

    mysql> SELECT 0 = '';
+--------+
| 0 = '' |
+--------+
|      1 |
+--------+
1 row in set (0.00 sec)

    hence by doing ''-'' you are doing 0 - 0 

    mysql> SELECT '' - '';
+---------+
| '' - '' |
+---------+
|       0 |
+---------+
1 row in set (0.00 sec)

    To be more clear I am adding following example (I feels will be helpful to you):
    How conversion happen: 

    mysql> SELECT '0' = 0
    -> ;
+---------+
| '0' = 0 |
+---------+
|       1 |
+---------+
1 row in set (0.00 sec)

    notice its conversion: 

    mysql> SELECT '' = '0'
    -> ;
+----------+
| '' = '0' |
+----------+
|        0 |
+----------+
1 row in set (0.00 sec)

    '' converted into 0, '0' converted into 0 but '' not equals to '0' 

    mysql> SELECT '1' = 1
    -> ;
+---------+
| '1' = 1 |
+---------+
|       1 |
+---------+
1 row in set (0.00 sec)

mysql> SELECT '' = 1
    -> ;
+--------+
| '' = 1 |
+--------+
|      0 |
+--------+
1 row in set (0.00 sec)
    • 0