During a web assessment you verify a classic SQL injection in a GET parameter. All requests pass through a custom WAF that drops any HTTP line containing the exact uppercase substring "UNION" but performs no other normalization. The back-end DBMS is MySQL 5.x. Which simple evasion technique is most likely to let you continue using a UNION-based payload without being blocked?
Substitute the UNION operator with CROSS JOIN to merge the result sets
Insert an inline C-style comment to split the word, for example UNI/**/ON select …
URL-encode the word UNION as %55%4E%49%4F%4E in the request
Use the keyword in all lowercase, for example union select …
Because the WAF performs a case-sensitive match on the exact uppercase string "UNION", sending the keyword entirely in lowercase (or any case that does not exactly match "UNION") avoids detection. MySQL treats keywords as case-insensitive, so a payload such as union select user, password from accounts is parsed and executed correctly. Splitting the keyword with inline C-style comments (e.g., UNI/**/ON) fails in MySQL because comments cannot appear inside a keyword. Percent-encoding is generally decoded by WAFs before inspection, and replacing UNION with CROSS JOIN changes query semantics, preventing a straightforward UNION-based data extraction.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why does MySQL treat keywords like UNION as case-insensitive?
Open an interactive chat with Bash
How do inline C-style comments affect SQL queries in MySQL?
Open an interactive chat with Bash
Why does percent-encoding (%55%4E%49%4F%4E) fail to bypass WAF detection in this scenario?
Open an interactive chat with Bash
Why does MySQL treat keywords as case-insensitive?
Open an interactive chat with Bash
What is a WAF and how does it inspect HTTP requests?
Open an interactive chat with Bash
Why can't C-style inline comments split keywords in MySQL?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Web Application Hacking
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .