{keyword}) Union All Select Null,null,null,null,null,null# | Validated |

: This is a common reconnaissance technique. An attacker uses NULL values to determine the exact number of columns returned by the original query. If the number of NULL s doesn't match the original column count, the database will usually throw an error. By adding or removing NULL s, an attacker can find the correct structure.

: This treats user input as data, not as executable code. {KEYWORD}) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL#

To protect your application from this type of attack, you should avoid building queries using simple string concatenation. Instead, use: : This is a common reconnaissance technique

: Only allow expected characters and formats. By adding or removing NULL s, an attacker

: This part attempts to "break out" of the existing SQL command. The closing parenthesis ) is used to close a function or a nested query that the developer originally intended.

{keyword}) Union All Select Null,null,null,null,null,null# | Validated |

About the author

More info

More Great Plugins