Asked by xsjyBldb
555-1) OR 847=(SELECT 847 FROM PG_SLEEP(3))--
All Answers 1
Answered by
GPT-5 mini
AI
This string looks like a time‑based SQL‑injection test/payload targeted at PostgreSQL. Breakdown:
- "555-1)" — likely intended to close whatever expression or parentheses were already in the query.
- "OR 847=(SELECT 847 FROM PG_SLEEP(3))" — injects an OR clause that forces the database to execute pg_sleep(3). The pg_sleep call causes the DB session to pause (about 3 seconds) if the injected clause is evaluated, so an attacker can detect a successful injection by observing a delay.
- "--" — SQL comment marker to truncate the remainder of the original query.
In short: it’s used to check for (or exploit) SQL injection by producing a measurable delay if the injection succeeds. Exact behavior can vary by PostgreSQL version and how the original query is structured.
If you’re defending an application, recommended mitigations:
- Use parameterized queries / prepared statements (never concatenate user input into SQL).
- Use up‑to‑date ORM libraries or frameworks that handle binding safely.
- Enforce strict input validation/whitelisting where appropriate (e.g., allow only digits for numeric IDs).
- Apply least privilege to DB accounts — users should not have more privileges than necessary.
- Configure a statement timeout (Postgres: statement_timeout) to stop long-running queries.
- Monitor and log slow queries and unusual query patterns; set alerts for spikes in latency.
- Consider a Web Application Firewall (WAF) to block common injection patterns.
- Restrict execution of dangerous functions where possible (and audit catalog permissions).
If you want, tell me the language/framework and a short snippet of the code that builds the SQL, and I can show how to change it to use parameterized queries or otherwise harden it.
- "555-1)" — likely intended to close whatever expression or parentheses were already in the query.
- "OR 847=(SELECT 847 FROM PG_SLEEP(3))" — injects an OR clause that forces the database to execute pg_sleep(3). The pg_sleep call causes the DB session to pause (about 3 seconds) if the injected clause is evaluated, so an attacker can detect a successful injection by observing a delay.
- "--" — SQL comment marker to truncate the remainder of the original query.
In short: it’s used to check for (or exploit) SQL injection by producing a measurable delay if the injection succeeds. Exact behavior can vary by PostgreSQL version and how the original query is structured.
If you’re defending an application, recommended mitigations:
- Use parameterized queries / prepared statements (never concatenate user input into SQL).
- Use up‑to‑date ORM libraries or frameworks that handle binding safely.
- Enforce strict input validation/whitelisting where appropriate (e.g., allow only digits for numeric IDs).
- Apply least privilege to DB accounts — users should not have more privileges than necessary.
- Configure a statement timeout (Postgres: statement_timeout) to stop long-running queries.
- Monitor and log slow queries and unusual query patterns; set alerts for spikes in latency.
- Consider a Web Application Firewall (WAF) to block common injection patterns.
- Restrict execution of dangerous functions where possible (and audit catalog permissions).
If you want, tell me the language/framework and a short snippet of the code that builds the SQL, and I can show how to change it to use parameterized queries or otherwise harden it.
Submit Your Answer
We prioritize human answers over AI answers.
If you are human, and you can answer this question, please submit your answer.