I am in the middle of learning about IT Security.

I wonder why sometimes people uses ASCII value for SQL injection attack? Do you know the reason why?

Why not using normal ' mark.

If you are just learning IT security then you should first learn the definitions of

  1. ASCII
  2. SQL Injection Attack

before asing the question. ASCII is a mapping of bit patterns onto characters (EBCDIC and unicode are two others). SQL injection is a method of embedding unwanted (to the atackee) SQL commands in other legitimate commands. It is independent of the character encoding.

commented: I'm going to test someone with my EBCDIC SQL INJECTION TEST next. +0

So it's not an alternative?

For instance instead of using ' (mark), you can use %27 for sql injection test?

Which is normally

Username = [" or ""=" ]
Password = [" or ""=" ]

You are not protecting yourself by using a different delimiter. You protect yourself (one way) by using parameterized queries. For example, if you have a textbox on a form where a user is building a search query and the user is expected to type in a field to search for, let's say a last name, with the resulting query something like

SELECT * FROM someTable WHERE last_name = 'Jones'

where Jones is entered by the user. What would happen if instead of entering Jones, the user entered Jones'; drop table someTable. In that case the resulting query would be

SELECT * FROM someTable WHERE last_name = 'Jones'; drop table someTable

I may not have the syntax exactly right but you get the idea.

commented: Always did have a fondness for "Little Bobby Drop Tables." +0