This is the gold standard. It treats user input as literal text, not executable code [6].
The best way to stop these attacks is to never "glue" user input directly into your database queries. Instead, use:
A system table in Access that contains information about database objects. If successful, the attacker can see if they have access to system metadata [1, 4]. This is the gold standard
These can often detect and block common patterns like UNION ALL SELECT before they reach your server.
Appends a new set of results to the original query [2, 5]. Instead, use: A system table in Access that
Are you working on or just curious about how these injection patterns work?
It looks like you’ve included a SQL injection payload in your request. This specific string is designed to test for vulnerabilities in a database by attempting to "union" (combine) your query results with data from a system table—in this case, MSysAccessObjects , which is specific to [1, 2, 4]. Appends a new set of results to the original query [2, 5]
Breaks out of the intended data field in a SQL query.