It’s a classic NULL-based injection used to determine the number of columns in a database table.
If you’re working on , the best move is to use prepared statements (parameterized queries) rather than trying to filter out these specific strings.
It’s a standard "probe," but most modern web frameworks and Web Application Firewalls (WAFs) will flag or block this immediately.
It looks like you're testing for SQL injection vulnerabilities with that UNION ALL SELECT string. If you're looking for a "solid review" of that specific payload:
Using unique strings like 'qbqvq' ... 'qqbqq' is a common technique to make the output easy to find in a sea of data.