Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Batched (or stacked) queries SQLi

secf00tprint | Last updated: Jul 03, 2020 08:41PM UTC

At https://portswigger.net/web-security/sql-injection/cheat-sheet chapter #Batched (or stacked) queries it is written: "MySQL Does not support batched queries." Perhaps I understand it wrong, but when I'm starting a mysql instance running : sudo docker run --name some-mysql -e MYSQL_ROOT_PASSWORD=my-secret-pw -d mysql sudo docker exec -ti some-mysql mysql -uroot -pmy-secret-pw I can do: SELECT table_name FROM information_schema.tables; select @@version; ... | x$user_summary_by_stages | | x$user_summary_by_statement_latency | | x$user_summary_by_statement_type | | x$wait_classes_global_by_avg_latency | | x$wait_classes_global_by_latency | | x$waits_by_host_by_latency | | x$waits_by_user_by_latency | | x$waits_global_by_latency | +------------------------------------------------------+ 311 rows in set (0.01 sec) -> ; +-----------+ | @@version | +-----------+ | 8.0.20 | +-----------+ 1 row in set (0.00 sec) Do I miss something?

secf00tprint | Last updated: Jul 05, 2020 08:43PM UTC

Verified it: The mysql client seems to take the queries apart and send them individually to the database. If you test it directly in a SQLi or in code, it doesn't work.

Michelle, PortSwigger Agent | Last updated: Jul 06, 2020 02:18PM UTC