/union · sink: string-concatenated SELECT
Product category filter concatenated into SQL; result rows are rendered.
Query shape: SELECT name, description, price FROM products WHERE category='<input>'. The three columns are returned to you. Try ?category=widgets' UNION SELECT name, value, 0 FROM secrets--