{keyword}' Union All Select Null,null,null,null,null,null,null,null From Msysaccessobjects-- Udhz -

Matches the number of columns in the original table. Attackers use NULL to figure out how many columns they need to match without causing a data type error [2, 3].

Appends a new set of results to the original query [2, 5].

These can often detect and block common patterns like UNION ALL SELECT before they reach your server. Matches the number of columns in the original table

A system table in Access that contains information about database objects. If successful, the attacker can see if they have access to system metadata [1, 4].

This is the gold standard. It treats user input as literal text, not executable code [6]. These can often detect and block common patterns

Are you working on or just curious about how these injection patterns work?

Only allow the types of characters you expect (e.g., numbers for an ID field). This is the gold standard

It looks like you’ve included a SQL injection payload in your request. This specific string is designed to test for vulnerabilities in a database by attempting to "union" (combine) your query results with data from a system table—in this case, MSysAccessObjects , which is specific to [1, 2, 4].