Is there a way to update a table, and select it within one statement?

Question

I am currently practicing SQL injection on a local host web application. In order to successfully do that, a value must be returned in the statement (by using SELECT). I'm trying to change the password of the user:

changepwd', (UPDATE mysql.user SET authentication_string=PASSWORD('new password') 
             WHERE user='root' UNION SELECT authentication_string from mysql.user)) #

With SQL injection you can't use ;. I tried UNIONin that example to see if it would work but no luck. Any other ideas i could try?

This is very easy with Postgres. Which DBMS are you using? – Nov 23 '16 at 22:03 — , Nov 23 '16 at 22:03

score 0 · Answer 1 · edited May 23 '17 at 11:59

0

I think the answer to this question is here.

In short the answer is create a stored procedure.

edited May 23 '17 at 11:59

Community

1
1

answered Nov 23 '16 at 22:15

Ricardo Rodrigues

133
7

generally speaking this is the way to go, but he's asking about sql injection, so creating a SP is not an option – Nir Levy Nov 23 '16 at 22:17
Then is it possible to inject and procedure and call it? Maybe by changing the delimiter and running several calls. (I don't know if it's possible and haven't tested it) – Ricardo Rodrigues Nov 23 '16 at 22:32

Is there a way to update a table, and select it within one statement?

1 Answers1