I am in the middle of learning about IT Security.
I wonder why sometimes people uses ASCII value for SQL injection attack? Do you know the reason why?
Why not using normal ' mark.
If you are just learning IT security then you should first learn the definitions of
before asing the question. ASCII is a mapping of bit patterns onto characters (EBCDIC and unicode are two others). SQL injection is a method of embedding unwanted (to the atackee) SQL commands in other legitimate commands. It is independent of the character encoding.
So it's not an alternative?
For instance instead of using ' (mark), you can use %27 for sql injection test?
Which is normally
Username = [" or ""=" ]
Password = [" or ""=" ]
You are not protecting yourself by using a different delimiter. You protect yourself (one way) by using parameterized queries. For example, if you have a textbox on a form where a user is building a search query and the user is expected to type in a field to search for, let's say a last name, with the resulting query something like
SELECT * FROM someTable WHERE last_name = 'Jones'
Jones is entered by the user. What would happen if instead of entering
Jones, the user entered
Jones'; drop table someTable. In that case the resulting query would be
SELECT * FROM someTable WHERE last_name = 'Jones'; drop table someTable
I may not have the syntax exactly right but you get the idea.