In this module, we will familiarize ourselves with the UPDATE statement and SQL injections, which can occur within it!
UPDATE statement
Whereas with the SELECT statement, rows are retrieved from the database and with the INSERT statement, rows are added to it, the UPDATE statement modifies rows that have already been added to the database with an INSERT statement.
The format of the UPDATE clause is as follows:
UPDATE table SET column=value possibly_other_column=other_value WHERE conditionsSo if we want to update the price of all cars with the brand Ferrari to 50000, we could run the following query:
UPDATE cars SET price=50000 WHERE brand='Ferrari'When injecting the UPDATE statement, the same subquery technique can be used as with INSERT statements. However, let's take a different approach for the sake of variation; instead of trying to reveal the admin user's password, let's try to make ourselves an admin user.
Open the exercise task and go to the user account page and update your information. Then try to find a vulnerability and update your information so that you can set the value of the admin field to True. However, be careful not to lose the id limit of the WHERE clause, otherwise you might accidentally update your information for every user!
Ready to become an ethical hacker?
Start today.
As a member of Hakatemia you get unlimited access to Hakatemia modules, exercises and tools, and you get access to the Hakatemia Discord channel where you can ask for help from both instructors and other Hakatemia members.