As we mentioned before, some SQL injections take advantage of the UNION operator, which is used to get information from two different tables.

Let's check the first example we reviewed:

SELECT student_name, average FROM students WHERE kardex= '2004620080';

If we can modify the statement, it is possible to get more information than originally intended by the developer. For example, we can get the passwords stored in the database, using the following example:

SELECT student_name, average FROM students WHERE kardex=' UNION SELECT admin,password,uid FROM administrators--

This is the same statement, but in this example, we are not just limited to extracting the information from the table used by the original statement; it extracts the information from the administrator's table.