I am in the middle of learning about IT Security.

I wonder why sometimes people uses ASCII value for SQL injection attack? Do you know the reason why?

Why not using normal ' mark.

3 Months
Discussion Span
Last Post by Reverend Jim

If you are just learning IT security then you should first learn the definitions of

  1. ASCII
  2. SQL Injection Attack

before asing the question. ASCII is a mapping of bit patterns onto characters (EBCDIC and unicode are two others). SQL injection is a method of embedding unwanted (to the atackee) SQL commands in other legitimate commands. It is independent of the character encoding.

Votes + Comments
I'm going to test someone with my EBCDIC SQL INJECTION TEST next.

So it's not an alternative?

For instance instead of using ' (mark), you can use %27 for sql injection test?

Which is normally

Username = [" or ""=" ]
Password = [" or ""=" ]


You are not protecting yourself by using a different delimiter. You protect yourself (one way) by using parameterized queries. For example, if you have a textbox on a form where a user is building a search query and the user is expected to type in a field to search for, let's say a last name, with the resulting query something like

SELECT * FROM someTable WHERE last_name = 'Jones'

where Jones is entered by the user. What would happen if instead of entering Jones, the user entered Jones'; drop table someTable. In that case the resulting query would be

SELECT * FROM someTable WHERE last_name = 'Jones'; drop table someTable

I may not have the syntax exactly right but you get the idea.

Votes + Comments
Always did have a fondness for "Little Bobby Drop Tables."
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.