Is it possible to sneak an “insert” statement (or anything else that changes the database) into a MySQL “select” statement?
I ask because I’m concerned I’ve found an injection vulnerability, but it’s safeguarded from obvious mayhem like '; drop database; -- by virtue of only being able to run a single statement at a time, no matter how many statements the query has been corrupted to contain. But if the back end is executing something like select bar from foo where param = '$improperly_escaped_input', is there something I can input that will compromise my database?
The vulnerability needs to be corrected, regardless. But if I can show an example of how it can be exploited to screw with the data, fixing it goes way up in the priority queue.
Modification of data is only one aspect of a Sql Injection vulnerability. Even with just read permissions, an attacker can elevate their privileges, or use a Blind Sql Injection attack to scrape every last bit of data out of your database.
I can’t think of a way off the top of my head that data would be modified inside a select statement… but, are you sure that you’re only able to run a single command at a time?
Regardless, the other attack vectors should be enough of a threat to raise the priority on the issue.
EDIT: Data modification is allowed in MySql sub-queries: