ansaurus

Question

Select more tables after FROM statement?

Answer 1

+2 A:

You can't have multiple FROM clauses for the same DELETE statement, so you can't go about it exactly how you'd want to. If the MySQL db had 'allow multiple queries per statement' turned on, you could try to terminate the one DELETE query and then tack on another to the end, so that it'd look like this:

DELETE FROM `products` WHERE `products`.`whatever` = **0 OR 1=1; DELETE FROM `othertable` WHERE `othertable`.`othercolumn` = 0 OR 1=1**

But that's about it.

Amber 2009-09-03 00:31:56

Yeah, thanks. So there is no way this can be done? I might post a MySQL bug. xD

José Manuel 2009-09-03 00:38:30

@Jose: It's not a MySQL issue. The PHP driver module simply doesn't support it.

zombat 2009-09-03 00:43:56

You can in fact delete from multiple tables in one query, but they must be specified in the FROM clause (after there WHERE is too late). PHP is *configured* not to allow multiple queries in one call, other languages might be more permissive.

too much php 2009-09-03 00:44:03

@Jose: Other modules, such as MySQLi, do have support for this. See MySQLi's `multi_query()`: http://www.php.net/manual/en/mysqli.multi-query.php

zombat 2009-09-03 00:45:05

@zombat Yes, but you can actually enable it: http://dev.mysql.com/doc/refman/5.1/en/mysql-set-server-option.html

José Manuel 2009-09-03 00:47:50

Answer 2

+2 A:

Perhaps I don't fully understand the question, but what I take away is that you're building a SQL command as a string and running that string directly against a MySQL database.

You can separate multiple commands using the command separator (usually ';'), so you could run pretty much any command you want as this comic aptly illustrates.

If your database configuration supports multiple commands (or might in the future if someone changes today's setting), you want to ensure you don't have a command separator as part of the input. See this article for advice on sanitizing your input to prevent this type of attack.

Eric J. 2009-09-03 00:33:27

LOL, that's funny xD. But back to our business, the semicolon doesn't work within the MySQL API (which PHP uses), so there is no way to run "more than one" command.

José Manuel 2009-09-03 00:37:42

Yes, this answer is technically incorrect. The standard MySQL driver module for PHP does not support multiple statements in a query, so it doesn't matter what your database settings are or what you separate your statements with. Other modules have support for this however, such as MySQLi's multi_query().

zombat 2009-09-03 00:42:14

Well, actually it SUPPORTS it if it is enabled.

José Manuel 2009-09-03 00:43:44

Answer 3

+1 A:

As you stated, multiple queries are not supported by the normal MySQL driver module. From the manual for mysql_query:

mysql_query() sends a unique query (multiple queries are not supported) to the currently active database on the server that's associated with the specified link_identifier .

Unfortunately for your injection efforts, DELETE syntax only supports multiple table deletes by specifying them in the FROM clause. Your injected variable is part of the WHERE, so the most damage you can do is to the single specified table.

Contrary to popular belief, you can actually run multiple MySQL statements from PHP, you just have to be using a different database driver module such as MySQLi. See MySQLi::multi_query().

zombat 2009-09-03 00:38:13

Yeah, thanks, although it's not really damaging, it's a part of a security audition, as I mentioned :P

José Manuel 2009-09-03 00:39:45

ansaurus

tags:

views:

answers:

Select more tables after FROM statement?

related questions