Is it possible to inject sql to delete statement?

Question

i built website that uses sql server and have this sql for deleting items by id that im getting from querystring:

DELETE FROM tablename WHERE GUID = 'param'

is it possible to inject sql that will return db_name() for example?

i know that i can inject sql only for select statements something like this

select name from tablename where 'parems' 
union all
select db_name()

but what about delete statements

i know that i can drop table insert to table, but in this stage i need know if i can get kind of data, for ex.: db_name()

Answer 1

Sure. This value of param:

' OR ''='

will result in this statement:

DELETE FROM tablename WHERE GUID ='' OR '' = ''

which will delete all data in the table.

Answer 2

Yes, a query always returns a result, so if the database driver allows it you can simply add another query after the delete.

An input like this:

x'; select db_name() --

would give:

DELETE FROM tablename WHERE GUID = 'x'; select db_name() --'