Thanks to google dorks I found some websites coded in PHP which are vulnerable to SQL Injection. On 1 website I was able to fetch the database name, column names etc... from the database server. I want to exactly understand what I'm doing so I have a question about a query I used to fetch the database name:

In a first step I tried to track down the total amount of rows with the following query:

http://vuln_site.com/index.php?id=-1 order by 1
http://vuln_site.com/index.php?id=-1 order by 2
http://vuln_site.com/index.php?id=-1 order by 3
...
http://vuln_site.com/index.php?id=-1 order by 10

A SQL error was shown when i ran the query with 'order by 10'

This means there are 9 rows in the table which is clear to me. I the next step I used the query below to track down the database name and this was also successfully.

http://vuln_site.com/index.php?id=-1 union select 1,database(),3,4,5,6,7,8,9

The database name was shown. However, i have a question about this query because I don't understand it completely. Why is the database() object placed in row 2 in the select query from above? As you can see the digit 2 is replaced with database() and when executing this the database name shows up.

Thanks in advance!

Too lazy to provide an informative answer, but you posted this in the wrong section.

So what is the right section than? Under Leaks - Database requests?