-2

Is there some way to completely change the SQL statement while writing it:

Let's say I have this:

SELECT * from `table1` WHERE `column1` LIKE '%%'

But now I decide I actually want to SELECT something completely different, like table2 e.g., could I continue writing (i.e. without deleting what I've written this far and without making a completely new statement (seperated by a semicolon)) and still get the content of table2? (which I would normally get by writing SELECT * from table2)?

I'm asking cause I'm fascinated by SQL injection and wonder how far you can go with it.

hgiesel
  • 5,430
  • 2
  • 29
  • 56
  • How is the query currently being built? – Tim Biegeleisen Jul 04 '16 at 01:07
  • @Tim what if he were to click his mouse near `table1` ... close to the 1 part – Drew Jul 04 '16 at 01:08
  • Let's say, you can enter a search query that is inserted between the two `%` signs. – hgiesel Jul 04 '16 at 01:09
  • @Drew I was thinking more along the lines of replacing `table1` with `table1 INNER JOIN table2 ON t1.id = t2.id`, but his code _might_ protect against this, assuming he is using the right tool. – Tim Biegeleisen Jul 04 '16 at 01:09
  • 1
    This cannot seriously be a question about sql injection, a fresh one, when volumes here have been written about wedging in injection, can it? – Drew Jul 04 '16 at 01:11

1 Answers1

0

No, you cannot change the query backwards. An sql injection is about amending the query starting from the point where actual injection occurs.

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345