The -- (double dash) is the SQL syntax for a comment. Everything following these dashes is ignored by the database. This is used to "comment out" the rest of the original, legitimate code (like a closing quote or a WHERE clause) that would otherwise cause a syntax error and crash the attack.
The UNION ALL command is used to combine the results of two different SQL queries into a single result set. Attackers use this to trick a database into returning sensitive information (like usernames, passwords, or configuration data) that the user was never intended to see. 3. SELECT NULL {KEYWORD}' UNION ALL SELECT NULL-- FHDA
The SELECT NULL part is often a "probe." For a UNION attack to work, the second query must have the exact same number of columns as the first. Attackers will add NULL values one by one (e.g., SELECT NULL, NULL-- ) until the page stops returning an error, which reveals how many columns are in the targeted table. 4. Commenting Out ( -- ) The -- (double dash) is the SQL syntax for a comment