I know you need prepared statements and such to avoid SQL injection, and I’ve seen that there are different questions about exploits for SELECT, INSERT, UPDATE injectable queries.
But I couldn’t come up with an exploit sample for
USE statement. Suppose I have an injectable single statement that looks like this:
What data could the attacker use if they can put anything in place of the
data_from_attacker, considering I’m looking for an exploit example that is not just selecting a DB (ie: selecting information_schema or mysql DB seems harmless, as the next queries won’t work because tables won’t exist; and selecting a DB that do not exists seems also harmless).
Also, consider that mysql will only interpret the 1st query, so attacker cannot inject:
mysql`; SELECT * FROM `users
Can you find such exploit for MySQL? The
USE syntax seems very “poor” for such injection…