Does anybody know if it is possible to use sqlmap to inject into a SQL SELECT query, which takes in POST variables from web form - to alter it to an INSERT or UPDATE statement - possible by using the --prefix and --suffix switches?
For example, is it possible to replace
With either of the following
"SELECT full_name FROM people WHERE id=$_POST['id'] AND username=$_POST['username']"
"INSERT INTO people VALUES ('0', 'Mr. Back Track', 'BT')"
If there is another way to achieve this, suggestions would be welcome. I've tried stacking queries to append an INSERT/UPDATE statement after the SELECT, but keep getting syntax errors.
"UPDATE people SET username='change' WHERE id=$_POST['id']"