I need some help please.
Say I used sql injection methods to get the database name of a website, and managed to get all the data from the tables, is it possible to alter that data without having to identify on the server using a basic sql client?
Thank you.
(I would prefer if the answer would be general to all database types, but if not, the database's version in question is mysql)
It depends on the privileges granted to the database account, the database user that the web server uses to connect to the database, and the nature of the SQL Injection vulnerability.
If the vulnerability is open enough to allow you to extract all data from all tables, it's likely that the website is vulnerable to creation and alteration of procedures, as well INSERT/UPDATE/DELETE operations on tables. (That same inattention and lack of care that goes into creating websites that are vulnerable to SQL Injection, that's often the same kind of inattention that's dedicated to determining database privileges... (I'll just use "root", or I'll use a database account that has all privileges on all objects...)
It's entirely possible, and relatively easy, to create a website that is vulnerable to this kind of injection.
(And StackOverflow questions and answers are rife with examples of the kind of code you would need to make a website vulnerable in this way. SQL Injection vulnerabilities are just the tip of the iceberg... if a website is insecure in this way, it's almost a given that there are other vulnerabilities. (SQL Injection just happens to be a very easy vulnerability to exploit.)
And these insecure patterns that developers become accustomed to...
(after all, this website I'm developing "is only for development/education/my use/et al.", "so security isn't a concern", or "i'll address the security vulnerabilities after I get all of it developed, debugged, tested" yada, yada, yada
... those patterns for writing insecure code becomes firmly entrenched.