Union-based SQL injection is a type of SQL injection attack that involves using the UNION operator in a SQL query to combine the results of two or more SELECT statements

Union-based SQL injection

19 February 2022 Estimated reading time: 1 minutes

Union-based SQL injection is a type of SQL injection attack that involves using the UNION operator in a SQL query to combine the results of two or more SELECT statements. This allows the attacker to access and manipulate data from multiple tables in the database.

To perform a union-based SQL injection attack, the attacker must find a vulnerable application that allows them to submit a user-supplied input in a SQL query. They can then modify the input to include a UNION clause and additional SELECT statements, which will be executed as part of the original query.

For example, consider the following vulnerable SQL query:

SELECT * FROM users WHERE username='$username' AND password='$password';

An attacker might modify the $username input to include a UNION clause and an additional SELECT statement, like this:

' UNION SELECT * FROM users WHERE username='admin' AND password='password'--

This would cause the original query to become:

SELECT * FROM users WHERE username='' UNION SELECT * FROM users WHERE username='admin' AND password='password'--' AND password='$password';

The UNION clause would combine the results of the two SELECT statements, allowing the attacker to access the data for the admin user even if they do not know the correct password for that user.

To prevent union-based SQL injection attacks, it is important to properly validate and sanitize user input, and to use prepared statements or stored procedures with parameterized queries to prevent dynamic SQL queries from being constructed with user-supplied input.