SQL Injection Modify / Insert Table Values
Query stacking, ie select * from tbl; update ... --
is forbidden by most database management systems. In order to enable query stacking in PHP/MySQL, the application must use the mysql_mutli_query()
function to execute the query. This function is uncommon in the wild.
In SQL injection without query stacking, the attacker is limited by accessible query operators, and SQL functions. The tool SQLMap allows an attacker to access functionality exposed by SQL injection with an easy to use shell. The example sql injection vulnerability provided maybe blind sql injection, which can be exploited with SQLMap.
In MySQL, an attacker can append a union select to access other tables:
select id from db where id = 1 union select password from users
or a sub-select:
select id from db where id = (select password from users)
Additionally an attacker could read file using the load_file()
function:
select from db where id = load_file('/etc/passwd')
Only select statements can use the into outfile
query operator:
select from db where id = 1 union select password from users into outfile '/var/www/backup.txt'
The into outfile
operator requires the use of single-quotes and cannot be used in a SQL injection exploit when mysql_real_escape_string()
is used.
The paper Hackproofing MySQL is still relevant, and covers these attacks, and more.
It may be possible using select into
SELECT id FROM table1 WHERE id = 1 INTO table2
However as the attacker does not directly control the id value the attacker would need another method of controlling this data for the attack to be able to have a meaningful impact.