{keyword}' Union All Select Null,null,null,null,null,null,null,null From Msysaccessobjects-- Udhz -

Matches the number of columns in the original table. Attackers use NULL to figure out how many columns they need to match without causing a data type error [2, 3].

This is the gold standard. It treats user input as literal text, not executable code [6]. Matches the number of columns in the original table

Comments out the rest of the original query so it doesn't cause a syntax error [1, 5]. How to Prevent It: It treats user input as literal text, not

Only allow the types of characters you expect (e.g., numbers for an ID field). Appends a new set of results to the original query [2, 5]

Appends a new set of results to the original query [2, 5].

If you are looking to learn about this for security research or to protect your own applications, here is a quick guide on what’s happening and how to prevent it. What this payload does: