Stacked Queries SQL Injection (SQLi)

Manieendar Mohan
Published on
04 Jul 2018
SQL Injection

A semicolon(;) is used to terminate a statement in SQL. By deleting the original queue and adding new one by the attacker changes data in the database. This is a massively used SQL injection attack. A semicolon allows the attacker to execute multiple statements into the database. This has similarity to Union based injection attack. But, union based injection can only be done using SELECT statements. But in stacked queries SQL injection, the attack can be done using any SQL statement. This generates a huge vulnerability. The attacker can use this vulnerability to make changes to the database.


        /*Malicious user input by attacker*/
        1; DELETE FROM products
        /*This example executes multiple statements*/
        SELECT * FROM products WHERE productid=1; DELETE FROM products


Impact and Fixes

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Manieendar Mohan
Manieendar Mohan
Cyber Security Lead Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.