UPDATE as subquery of SELECT

#1

I need to create a UPDATE query as a subquery of a SELECT one (after
the where keyword)

Something like:
SELECT x FROM u WHERE k=i AND y IN (UPDATE o SET p=i WHERE r=u) AND y
< 4
(This is a wrong one)

Even it doesn't make any sense, I need the update query to be
executed.

Thanks in advance,
Alfio

#2

Demonstration of your efforts at constructing the query for yourself are appreciated. However, if you want help I suggest you provide a representativedata set together with an illustration (in something approaching plain English) of what it is you're trying to achieve.

#3

On 25 Mar, 10:33, strawberry <zac.ca... (AT) gmail (DOT) com> wrote:

Quote:

Demonstration of your efforts at constructing the query for yourself are appreciated. However, if you want help I suggest you provide a representative data set together with an illustration (in something approaching plain English) of what it is you're trying to achieve.

The representative data set doesn't matter, I guess.
All I need is to execute an UPDATE query via an SQL-INJECTION, like
"UPDATE core_user SET pass='1' WHERE userid='/admin'"
In can only inject SQL in the WHERE clause of a SELECT query.
I don't mind about what will the SELECT return.
I cannot use multiple queries.

#4

On 3/25/2011 2:47 AM, Alfio Emanuele Fresta wrote:

Quote:

I need to create a UPDATE query as a subquery of a SELECT one (after
the where keyword)

Something like:
SELECT x FROM u WHERE k=i AND y IN (UPDATE o SET p=i WHERE r=u) AND y
4
(This is a wrong one)

Even it doesn't make any sense, I need the update query to be
executed.

Thanks in advance,
Alfio

SQL doesn't allow an UPDATE as a subquery of a SELECT statement.

Maybe rather then telling us what you need, you should tell us what
you're trying to do. Then maybe we can give you suggestions as to what
can work.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex (AT) attglobal (DOT) net
==================

#5

On 3/25/2011 6:10 AM, Alfio Emanuele Fresta wrote:

Quote:

On 25 Mar, 10:33, strawberry<zac.ca... (AT) gmail (DOT) com> wrote:
Demonstration of your efforts at constructing the query for yourself are appreciated. However, if you want help I suggest you provide a representative data set together with an illustration (in something approaching plain English) of what it is you're trying to achieve.

The representative data set doesn't matter, I guess.
All I need is to execute an UPDATE query via an SQL-INJECTION, like
"UPDATE core_user SET pass='1' WHERE userid='/admin'"
In can only inject SQL in the WHERE clause of a SELECT query.
I don't mind about what will the SELECT return.
I cannot use multiple queries.

It does if you want help on how it can be done. SQL does not allow an
UPDATE in a WHERE clause.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex (AT) attglobal (DOT) net
==================

#6

In article <9b81d0a5-450b-48a6-a3d4-24d2119c0c13 (AT) h38g2000yqn (DOT) googlegroups.com>,
Alfio Emanuele Fresta <alfio.emanuele.f (AT) gmail (DOT) com> wrote:

Quote:

On 25 Mar, 10:33, strawberry <zac.ca... (AT) gmail (DOT) com> wrote:
Demonstration of your efforts at constructing the query for yourself are appreciated.
However, if you want help I suggest you provide a representative data set together with an
illustration (in something approaching plain English) of what it is you're trying to
achieve.

The representative data set doesn't matter, I guess.
All I need is to execute an UPDATE query via an SQL-INJECTION, like
"UPDATE core_user SET pass='1' WHERE userid='/admin'"
In can only inject SQL in the WHERE clause of a SELECT query.
I don't mind about what will the SELECT return.
I cannot use multiple queries.

This sounds rather like "I'm trying to hack someone's site using SQL Injection
but I don't really know what I'm doing. Can you guys help me break the law?"

Er, no.

Tony
--
Tony Mountifield
Work: tony (AT) softins (DOT) co.uk - http://www.softins.co.uk
Play: tony (AT) mountifield (DOT) org - http://tony.mountifield.org

#7

On 3/25/2011 8:44 AM, Tony Mountifield wrote:

Quote:

In article<9b81d0a5-450b-48a6-a3d4-24d2119c0c13 (AT) h38g2000yqn (DOT) googlegroups.com>,
Alfio Emanuele Fresta<alfio.emanuele.f (AT) gmail (DOT) com> wrote:
On 25 Mar, 10:33, strawberry<zac.ca... (AT) gmail (DOT) com> wrote:
Demonstration of your efforts at constructing the query for yourself are appreciated.
However, if you want help I suggest you provide a representative data set together with an
illustration (in something approaching plain English) of what it is you're trying to
achieve.

The representative data set doesn't matter, I guess.
All I need is to execute an UPDATE query via an SQL-INJECTION, like
"UPDATE core_user SET pass='1' WHERE userid='/admin'"
In can only inject SQL in the WHERE clause of a SELECT query.
I don't mind about what will the SELECT return.
I cannot use multiple queries.

This sounds rather like "I'm trying to hack someone's site using SQL Injection
but I don't really know what I'm doing. Can you guys help me break the law?"

Er, no.

Tony

That was my first thought also, Tony, but I'm not sure.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex (AT) attglobal (DOT) net
==================

#8

In article <9b81d0a5-450b-48a6-a3d4-24d2119c0c13 (AT) h38g2000yqn (DOT) googlegroups.com>, Alfio Emanuele Fresta <alfio.emanuele.f (AT) gmail (DOT) com> wrote:

Quote:

On 25 Mar, 10:33, strawberry <zac.ca... (AT) gmail (DOT) com> wrote:
Demonstration of your efforts at constructing the query for yourself are =
appreciated. However, if you want help I suggest you provide a representati=
ve data set together with an illustration (in something approaching plain E=
nglish) of what it is you're trying to achieve.

The representative data set doesn't matter, I guess.
All I need is to execute an UPDATE query via an SQL-INJECTION, like
"UPDATE core_user SET pass='1' WHERE userid='/admin'"
In can only inject SQL in the WHERE clause of a SELECT query.
I don't mind about what will the SELECT return.
I cannot use multiple queries.

So in other words, you want to hack someone else's site but don't have the
first clue how to do it yourself -- and you want us to help you.

FOAD.

#9

On 25 Mar, 16:09, spamb... (AT) milmac (DOT) com (Doug Miller) wrote:

Quote:

In article <9b81d0a5-450b-48a6-a3d4-24d2119c0... (AT) h38g2000yqn (DOT) googlegroups.com>, Alfio Emanuele Fresta <alfio.emanuel... (AT) gmail (DOT) com> wrote:

On 25 Mar, 10:33, strawberry <zac.ca... (AT) gmail (DOT) com> wrote:
Demonstration of your efforts at constructing the query for yourself are =
appreciated. However, if you want help I suggest you provide a representati=
ve data set together with an illustration (in something approaching plain E=
nglish) of what it is you're trying to achieve.

The representative data set doesn't matter, I guess.
All I need is to execute an UPDATE query via an SQL-INJECTION, like
"UPDATE core_user SET pass='1' WHERE userid='/admin'"
In can only inject SQL in the WHERE clause of a SELECT query.
I don't mind about what will the SELECT return.
I cannot use multiple queries.

So in other words, you want to hack someone else's site but don't have the
first clue how to do it yourself -- and you want us to help you.

I'm not looking for anything like this.
I find it very hard to explain because I'm not american/english,
that's all.
I'm not trying to hack anyone else's site, I only want to aknowledge.

I'll try to explain better than I did before.
I'm just wondering if it's possible to use a UPDATE, DELETE, DROP or
INSERT query
as a suquery of a SELECT one.
For example, you can use a SELECT subquery with the IN keyword
like this: SELECT name FROM news WHERE user IN (SELECT id FROM users
WHERE level = 20)

I'm wondering if, a teorical malicious person, can potentially get
something like this executed:
"SELECT name FROM news WHERE id='123' AND (UPDATE users SET level=100
WHERE id=23)>0 AND status='1'"
Injecting SQL in some bad-programmed and non-escaped code like this:
"SELECT name FROM news WHERE id='$_GET['id']'"

Considering that the php mysql_query() function doesn't allow any
multy-query string ";" separated,
may a malicious user UPDATE, DELETE or INSERT a row?

I've read that an UPDATE query should return the number of affected
rows.
Shouldn't so this one
(UPDATE users SET level=100 WHERE id=23)>0
be interpreted such as 1>1 (true)?

The MySQL documentation (wich I'm refering at) says
that WHERE may be followed by a subquery.
The same documentation tells:
"One restriction is that a subquery's statement must be one of:
SELECT, INSERT, UPDATE, DELETE, SET, or DO."
(http://dev.mysql.com/doc/refman/5.0/en/subqueries.html)

It actually is interpreted as syntax error.
Not understanding why.

Quote:

FOAD.

Have a nice day you too

#10

On 25 Mar, 16:09, spamb... (AT) milmac (DOT) com (Doug Miller) wrote:

Quote:

In article <9b81d0a5-450b-48a6-a3d4-24d2119c0... (AT) h38g2000yqn (DOT) googlegroups.com>, Alfio Emanuele Fresta <alfio.emanuel... (AT) gmail (DOT) com> wrote:

On 25 Mar, 10:33, strawberry <zac.ca... (AT) gmail (DOT) com> wrote:
Demonstration of your efforts at constructing the query for yourself are =
appreciated. However, if you want help I suggest you provide a representati=
ve data set together with an illustration (in something approaching plain E=
nglish) of what it is you're trying to achieve.

The representative data set doesn't matter, I guess.
All I need is to execute an UPDATE query via an SQL-INJECTION, like
"UPDATE core_user SET pass='1' WHERE userid='/admin'"
In can only inject SQL in the WHERE clause of a SELECT query.
I don't mind about what will the SELECT return.
I cannot use multiple queries.

So in other words, you want to hack someone else's site but don't have the
first clue how to do it yourself -- and you want us to help you.

I'm not looking for anything like this, I'm not at all.
I'm neither trying to hack anyone else's site, just wanna learn.
It's not easy to explain it in english, because I'm not a native
english speaker.

What I wonder about is:
May a malicious user get its malicious query to be executed, something
like:

SELECT title FROM news WHERE id = '123' AND
(UPDATE user SET level=100 WHERE id='44') > 0
AND status='1'

.... using at its advantage some bad-programmed and not-escaped code
looking like this:

$query = "SELECT title FROM news WHERE id = '".$_GET['id']."'";

The malicious query written above actually doesn't work.
I think there's no reason an application would use an UPDATE query
as subquery of a SELECT one, but it doesn't mean it
would not be executed from the database server.

In fact, the MySQL documentation says
- WHERE: it also accepts subqueries as conditions
- SUBQUERY: "One restriction is that a subquery's statement must be
one of: SELECT, INSERT, UPDATE, DELETE, SET, or DO."
(Source: http://dev.mysql.com/doc/refman/5.0/en/subqueries.html)

Actually, there are keywords like "IN" that accepts subqueries (even
if "IN" only accepts SELECT ones).

Listening to the same documentation, an UPDATE query RETURNS the
number of affected rows.

So, shouldn't something like this:
SELECT title FROM news WHERE id = '123' AND
(UPDATE user SET level=100 WHERE id='44') > 0
AND status='1'

Be interpreted such as:
SELECT title FROM news WHERE id = '123' AND
1 > 0
AND status='1'

SELECT title FROM news WHERE id = '123' AND
true
AND status='1'

That actually works?

Finally, I'm wondering if the user could manipulate some SELECT query
injecting malicious SQL in order to
UPDATE, DELETE, DROP or INSERT (to write).
Could it ever succeed to modify the database's data?

PS.: The php mysql_query() function I'm assuming
the bad-coded application uses,
actually forbids multiple queries ";"-separated.

Quote:

FOAD.

Have a nice day you too