Developers should use Parameterized Queries (Prepared Statements), which treat user input as literal data rather than executable code.
If the page loads normally, the attacker knows the database is expecting 6 columns. {KEYWORD} : NULL is used because it is
Here is a detailed breakdown of what each component of this specific string does: 1. {KEYWORD} to steal sensitive information
: NULL is used because it is compatible with almost any data type (integers, strings, dates, etc.). -- (The Comment) In SQL
: The database returns a row of empty data. The attacker now knows the table has 6 columns and can proceed to more dangerous injections, such as UNION SELECT username, password, NULL... to steal sensitive information.
If the page returns an error (like "The used SELECT statements have a different number of columns"), the attacker will try again with five or seven NULL values until the error disappears. 4. -- (The Comment) In SQL, double-dashes signify the start of a comment.
: By using six NULL values, the attacker is testing if the original query has exactly six columns.