0

Hello,

I am in the middle of learning about IT Security.

I wonder why sometimes people uses ASCII value for SQL injection attack? Do you know the reason why?

Why not using normal ' mark.

2
Contributors
3
Replies
21
Views
2 Months
Discussion Span
Last Post by Reverend Jim
1

If you are just learning IT security then you should first learn the definitions of

  1. ASCII
  2. SQL Injection Attack

before asing the question. ASCII is a mapping of bit patterns onto characters (EBCDIC and unicode are two others). SQL injection is a method of embedding unwanted (to the atackee) SQL commands in other legitimate commands. It is independent of the character encoding.

Votes + Comments
I'm going to test someone with my EBCDIC SQL INJECTION TEST next.
0

So it's not an alternative?

For instance instead of using ' (mark), you can use %27 for sql injection test?

Which is normally

Username = [" or ""=" ]
Password = [" or ""=" ]

2

You are not protecting yourself by using a different delimiter. You protect yourself (one way) by using parameterized queries. For example, if you have a textbox on a form where a user is building a search query and the user is expected to type in a field to search for, let's say a last name, with the resulting query something like

SELECT * FROM someTable WHERE last_name = 'Jones'

where Jones is entered by the user. What would happen if instead of entering Jones, the user entered Jones'; drop table someTable. In that case the resulting query would be

SELECT * FROM someTable WHERE last_name = 'Jones'; drop table someTable

I may not have the syntax exactly right but you get the idea.

Votes + Comments
Always did have a fondness for "Little Bobby Drop Tables."
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.