i built website that uses sql server and have this sql for deleting items by id that im getting from querystring:
DELETE FROM tablename WHERE GUID = 'param'
is it possible to inject sql that will return db_name() for example?
i know that i can inject sql only for select statements something like this
select name from tablename where 'parems'
union all
select db_name()
but what about delete statements
i know that i can drop table insert to table, but in this stage i need know if i can get kind of data, for ex.: db_name()
Sure. This value of param:
' OR ''='
will result in this statement:
DELETE FROM tablename WHERE GUID ='' OR '' = ''
which will delete all data in the table.