Stacked Queries SQL Injection (SQLi)

By
Manieendar Mohan
Published on
04 Jul 2018
Vulnerability
SQL Injection

A semicolon(;) is used to terminate a statement in SQL. By deleting the original queue and adding new one by the attacker changes data in the database. This is a massively used SQL injection attack. A semicolon allows the attacker to execute multiple statements into the database. This has similarity to Union based injection attack. But, union based injection can only be done using SELECT statements. But in stacked queries SQL injection, the attack can be done using any SQL statement. This generates a huge vulnerability. The attacker can use this vulnerability to make changes to the database.

Example

        /*Malicious user input by attacker*/
        1; DELETE FROM products
        
        /*This example executes multiple statements*/
        SELECT * FROM products WHERE productid=1; DELETE FROM products

Impact and Fixes

Written by
Manieendar Mohan
Manieendar Mohan
Cyber Security Lead Engineer
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
Start free trial