Stacked Queries SQL Injection (SQLi)

CAPEC-66 CWE-89 HIPAA-164.306(a) & HIPAA-164.308(a) ISO27001-A.14.2.5 WASC-19 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H WSTG-INPV-05

A semicolon(;) is used to terminate a statement in SQL. By deleting the original queue and adding new one by the attacker changes data in the database. This is a massively used SQL injection attack. A semicolon allows the attacker to execute multiple statements into the database. This has similarity to Union based injection attack. But, union based injection can only be done using SELECT statements. But in stacked queries SQL injection, the attack can be done using any SQL statement. This generates a huge vulnerability. The attacker can use this vulnerability to make changes to the database.


        /*Malicious user input by attacker*/
        1; DELETE FROM products
        /*This example executes multiple statements*/
        SELECT * FROM products WHERE productid=1; DELETE FROM products


Impact and Fixes

Related Articles