Home/ Questions/Q 4533800
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-21T14:12:04+00:00

I’ve got one easy question: say there is a site with a query like:

  • 0

I’ve got one easy question: say there is a site with a query like:

SELECT id, name, message FROM messages WHERE id = $_GET['q'].

Is there any way to get something updated/deleted in the database (MySQL)? Until now I’ve never seen an injection that was able to delete/update using a SELECT query, so, is it even possible?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If you say you use mysql_query that doesn’t support multiple queries, you cannot directly add DELETE/UPDATE/INSERT, but it’s possible to modify data under some circumstances. For example, let’s say you have the following function

    DELIMITER //
CREATE DEFINER=`root`@`localhost` FUNCTION `testP`()
RETURNS int(11)
LANGUAGE SQL
NOT DETERMINISTIC
MODIFIES SQL DATA
SQL SECURITY DEFINER
COMMENT ''  
BEGIN      
  DELETE FROM test2;
  return 1;
END //

    Now you can call this function in SELECT :
    SELECT id, name, message FROM messages WHERE id = NULL OR testP()
    (id = NULL – always NULL(FALSE), so testP() always gets executed.

    • 0