Union-based SQL injection is one of the most dangerous web vulnerabilities worldwide, causing major breaches and financial losses. This guide covers everything you need to know – from the basics and attack steps to real-world incidents, prevention, and FAQs from experts.
Union-based SQLi is a key cybersecurity topic to learn in 2026. As web applications grow, so does the risk of SQL injection attacks – especially attacks that steal sensitive data using the UNION operator. This guide explains what union-based SQL injection is, why it remains a top threat, how the attacks work, and how you can prevent them. Whether you’re a student, IT professional, or security enthusiast, you’ll find practical steps, real-world examples, and expert advice to help you stay ahead.
What is Union-Based SQLi?
Union-based SQLi (SQL injection) is a hacking technique that allows attackers to steal data from a website’s database by abusing the SQL UNION operator. This operator is designed to combine the results of two or more queries. But in the wrong hands, it can be used to trick a website into revealing sensitive information – such as usernames, passwords, and even credit card numbers.
In simple terms, we can say that:
If a website doesn’t properly check what users type into a search box or URL, a hacker can hide additional commands. With union-based SQLi, those commands use UNION to grab data from tables that hackers shouldn’t see.
Learn More: Classic In-Band SQL Injection: Complete Noob-to-Expert Guide
Why is Union-Based SQLi Important?
Union-based SQLi is not just a theoretical risk – it is a leading cause of real-world data breaches in the U.S. According to a recent security report:
- SQLi accounts for 23.4% of all web vulnerabilities in 2024-2025.
- 12% of all breaches in the 2025 Verizon DBIR involved web application attacks, including SQLi.
- Financial, healthcare, and retail sectors are the most targeted.
- The average time to fix SQLi vulnerabilities is 32 days, leaving a large window for attackers.
Key Finding:
Union-based SQLi is still the number one web application vulnerability in the United States, causing millions in losses and affecting organizations of all sizes.
Why does it persist?
- Many web apps still use unsafe query construction.
- Attackers can easily automate these attacks.
- Legacy systems and poor patch management increase risk.
Why Should You Care About Union-Based SQLi?
- It is common: Many websites are still vulnerable, even in 2026.
- It is dangerous: Attackers can steal, change, or delete data.
- It is easy to exploit: Even beginners can learn the basics in a few hours.
- It is preventable: With the right steps, you can protect your site and your users.
Key Finding:
Union-Based SQLi is one of the top threats in the OWASP Top 10, making it a must-know for anyone learning cybersecurity
Benefits of Understanding Union-Based SQLi
Learning about Union-Based SQLi gives you a strong foundation in web security. Here is why it matters:
- Protects Sensitive Data: Prevents leaks of user credentials, financial info, and more.
- Reduces Breach Risk: Stops attackers before they can exploit your systems.
- Boosts Career Skills: Essential knowledge for cybersecurity roles, pen testing, and secure development.
- Improves Compliance: Helps meet standards like PCI DSS, HIPAA, and NIST.
- Enables Proactive Defense: Lets you spot and fix vulnerabilities before attackers do.
How Does Union-Based SQLi Work?
Let’s break it down:
- The Setup:
A website uses user input (like a product ID in the URL) to build a SQL query. - The Flaw:
The website does not check or “sanitize” the input. This means a hacker can add SQL code. - The Attack:
The hacker add aUNION SELECTstatement to the input. If the website is vulnerable, the database combines the hacker’s query with the original one. - The Result:
The website shows the hacker’s data—right in the browser.
Example: Suppose a website uses this query to show product details:
sql
SELECT name, price FROM products WHERE id = 5;
A hacker changes the URL to:
text
/product?id=5 UNION SELECT username, password FROM users--
Now the query becomes:
sql
SELECT name, price FROM products WHERE id = 5
UNION SELECT username, password FROM users;
If the site is vulnerable, it will display usernames and passwords instead of product info!
Attack Chain Table
| Step | Example Input | Purpose |
|---|---|---|
| 1. Test for SQLi | ' OR '1'='1 | Check for injection |
| 2. Find columns | ' UNION SELECT NULL-- | Match column count |
| 3. Find data type | ' UNION SELECT 'abc', NULL-- | Identify string columns |
| 4. Extract data | ' UNION SELECT username, password FROM users-- | Steal data |
Step-by-Step: How Attackers Exploit Union-Based SQLi
Let’s walk through a typical attack, step by step.
1. Find a Vulnerable Input
Attackers look for places where user input affects a SQL query—like search boxes, login forms, or URLs.
2. Test for SQL Injection
They try adding a single quote (') or other SQL syntax to see if the site throws an error or behaves strangely.Example:
text
/product?id=5'
If the site shows a database error, it is likely vulnerable.
3. Discover the Number of Columns
The UNION operator only works if both queries have the same number of columns. Attackers use ORDER BY or UNION SELECT NULL tricks to figure this out.Example:
text
/product?id=5 ORDER BY 1--
/product?id=5 ORDER BY 2--
/product?id=5 ORDER BY 3--
When the site errors out, they know how many columns there are.
4. Find Data Types
Attackers test different data types (string, number, date) in each column to match the original query.
5. Inject the Malicious UNION Query
Once they know the structure, they inject a UNION SELECT statement to pull data from other tables. Example:
text
/product?id=5 UNION SELECT username, password FROM users--
6. Extract the Data
The site displays the stolen data in the browser, often mixed with normal content.
Attack Flowchart
mermaid
graph TD
A[Find Input] --> B[Test for SQLi]
B --> C[Find Column Count]
C --> D[Find Data Types]
D --> E[Inject UNION Query]
E --> F[Extract Data]
Real-World Examples of Union-Based SQLi
Example 1: Extracting Database Version
Attackers often start by learning about the database.
- MySQL:
/product?id=5 UNION SELECT @@version, NULL-- - SQL Server:
/product?id=5 UNION SELECT @@version, NULL-- - Oracle:
/product?id=5 UNION SELECT banner, NULL FROM v$version--
Example 2: Stealing User Credentials
If the attacker knows the table and column names:
text
/product?id=5 UNION SELECT username, password FROM users--
Example 3: Real Breach
In 2024, a major US retailer suffered a data breach when attackers used Union-Based SQLi to access customer records. The attackers found a vulnerable search field, used UNION SELECT to enumerate tables, and eventually dumped thousands of records. The breach cost millions in fines and lost trust.
How to Detect Union-Based SQLi Vulnerabilities
Manual Testing
- Error Messages:
Enter'or"in input fields. If you see a database error, the site may be vulnerable. - Behavioral Changes:
Try addingORDER BYorUNION SELECTto see if the site reacts differently.
Automated Tools
- SQLMap:
The most popular tool for finding and exploiting SQLi, including Union-Based SQLi. - Burp Suite:
Intercepts and modifies requests to test for vulnerabilities. - Web Application Scanners:
Tools like Acunetix and Netsparker automate SQLi detection.
Code Review
- Static Analysis:
Review source code for unsanitized inputs. - Dynamic Analysis:
Monitor queries at runtime for suspicious patterns.
Advanced Strategies: Bypassing Defenses & Complex Attacks
Bypassing Web Application Firewalls (WAFs)
Attackers use tricks to evade filters:
- Obfuscation:
un/**/ion se/**/lect - URL Encoding:
%55nion(%53elect) - Case Variation:
UNION SELECTvsunion select - Alternative Functions: Using
mid()instead ofsubstring()
Exploiting Complex Queries
- Attackers analyze backend logic and may use aliases or inject into subqueries.
- They adapt payloads to match the application’s query structure.
Blind Union-Based SQLi
If the app does not display results, attackers use:
- Time-based techniques: Injecting delays to infer data.
- Boolean-based techniques: Observing true/false responses.
Example:
sql
1 UNION SELECT IF(SUBSTRING(user_password,1,1) = CHAR(50), BENCHMARK(5000000,ENCODE('MSG','by 5 seconds')), NULL) FROM users WHERE user_id = 1;Common Mistakes in Union-Based SQLi Prevention & Testing
Key Finding:
Most Union-Based SQLi breaches happen due to simple, avoidable mistakes.
Top Mistakes
- Unsafe Query Construction: Concatenating user input directly into SQL queries.
- Overreliance on Input Sanitization: Blacklists and escaping are not enough.
- Client-Side Validation Only: Attackers can bypass JavaScript checks.
- Inconsistent Parameterization: Not using prepared statements everywhere.
- Assuming ORMs/Frameworks Are Always Safe: Raw queries or custom logic can still be vulnerable.
- Improper Error Handling: Exposing database errors helps attackers craft payloads.
- Neglecting All Input Vectors: Overlooking cookies, headers, or hidden fields.
- Excessive Database Privileges: Using admin accounts increases breach impact.
- Overreliance on WAFs: WAFs can be bypassed and are not a substitute for secure coding.
- Ignoring Legacy Code: Old systems often lack modern protections.
- Lack of Comprehensive Testing: Only basic scans miss complex vulnerabilities.
- Not Updating Software: Outdated libraries and databases are easy targets.
Mistakes Table
| Mistake | Impact |
|---|---|
| Unsafe query construction | Enables SQLi attacks |
| Blacklist reliance | Easy to bypass |
| Client-side validation | Ineffective for security |
| Inconsistent parameterization | Leaves gaps |
| Exposing errors | Helps attackers |
| Excessive privileges | Increases damage |
| Ignoring legacy code | Hidden vulnerabilities |
How to Prevent Union-Based SQLi Attacks
Key Finding:
The best defense is to never trust user input. Always validate and sanitize everything
1. Use Parameterized Queries (Prepared Statements)
This is the gold standard. Parameterized queries keep user input separate from SQL code. Example in Python:
python
cursor.execute("SELECT name, price FROM products WHERE id = %s", (user_input,))
2. Input Validation
- Allow-List: Only accept expected values (e.g., numbers for IDs).
- Deny-List: Not recommended—attackers can bypass it.
3. Least Privilege Principle
Give your database user only the permissions it needs. Don’t let it access sensitive tables if it does not have to.
4. Web Application Firewalls (WAFs)
A WAF can block many common SQLi attacks, but it is not foolproof. Attackers can use obfuscation to sneak past.
5. Regular Security Testing
- Penetration Testing: Hire experts to test your site.
- Automated Scans: Run regular scans for vulnerabilities.
6. Keep Software Updated
Apply security patches to your database, frameworks, and libraries.
Prevention Table
| Technique | Practical Step |
|---|---|
| Parameterized queries | Use prepared statements everywhere |
| Input validation | Allow-list all user input |
| Least privilege | Restrict database permissions |
| WAF | Deploy and update regularly |
| Error handling | Hide errors from users |
| Security testing | Combine automated and manual tests |
| Patch management | Update all components promptly |
Union-Based SQLi vs. Other SQL Injection Types
| Type | How It Works | Data Extraction Method | Difficulty |
|---|---|---|---|
| Union-Based SQLi | Uses UNION to combine queries and extract data | Direct (in-band) | Easy |
| Error-Based SQLi | Forces database errors to reveal data | Direct (in-band) | Medium |
| Blind SQLi | Infers data by observing app behavior (no output) | Indirect (timing, responses) | Hard |
| Out-of-Band SQLi | Uses alternate channels (DNS, HTTP) | Indirect (external channel) | Hard |
Key Takeaway:
Union-Based SQLi is the easiest for attackers because it gives instant feedback and data.
Tools for Testing and Defending Against Union-Based SQLi
Testing Tools
- SQLMap: Automates detection and exploitation.
- Burp Suite: For manual and automated testing.
- Havij: User-friendly SQLi tool (for educational use only).
- OWASP ZAP: Open-source web app scanner.
Defensive Tools
- Web Application Firewalls (WAFs): Block known attack patterns.
- Static Code Analyzers: Find vulnerabilities in source code.
- Database Activity Monitoring: Alerts on suspicious queries.
Tools Table
| Tool | Automated | Manual | Union-Based SQLi Detection |
|---|---|---|---|
| SQLMap | Yes | Limited | Yes |
| Burp Suite | Yes | Yes | Yes |
| OWASP ZAP | Yes | Yes | Yes |
| Nessus | Yes | No | Yes |
Real-World Case Studies: Union-Based SQLi in Action
Yahoo! Voices (2012)
- Attack: Union-Based SQLi exposed 450,000 user credentials.
- Impact: Major data leak, reputational damage.
- Lesson: Lack of input validation and plaintext storage.
Heartland Payment Systems (2008)
- Attack: SQLi led to 130 million card numbers stolen.
- Impact: $140M+ in losses, regulatory fines.
- Lesson: Need for secure coding and network segmentation.
TalkTalk (2015)
- Attack: SQLi on legacy systems exposed 157,000 customer records.
- Impact: £77M in costs, regulatory penalties.
- Lesson: Outdated systems and poor security reviews.
MoveIT Transfer (2023)
- Attack: Union-Based SQLi (CVE-2023-34362) exploited by ransomware group.
- Impact: Multiple organizations breached, sensitive data stolen.
- Lesson: Importance of patching and input sanitization.
More Notable Incidents
| Organization | Year | Data Compromised | Lesson |
|---|---|---|---|
| Sony Pictures | 2011 | 77M accounts | SQLi led to massive breach |
| 7-Eleven | 2007–09 | 130M card numbers | SQLi in retail systems |
| Freepik | 2020 | 8.3M emails, 3.7M passwords | Outdated systems, poor patching |
wow