SQL injection? CHAR(45,120,49,45,81,45)

Solution 1

This is just a test for injection. If an attacker can see xQs in the output then they'll know injection is possible.

There is no "risk" from this particular query.

A developer should pay no attention to whatever injection mechanisms, formats or meanings - these are none of his business.

There is only one cause for for all the infinite number of injections - an improperly formatted query. As long as your queries are properly formatted then SQL injections are not possible. Focus on your queries rather than methods of SQL injection.

Solution 2

The Char() function interprets each value as an integer and returns a string based on given the characters by the code values of those integers. With Char(), NULL values are skipped. The function is used within Microsoft SQL Server, Sybase, and MySQL, while CHR() is used by RDBMSs.

SQL's Char() function comes in handy when (for example) addslashes() for PHP is used as a precautionary measure within the SQL query. Using Char() removes the need of quotation marks within the injected query.

An example of some PHP code vulnerable to an SQL injection using Char() would look similar to the following:

$uname = addslashes( $_GET['id'] );
$query = 'SELECT username FROM users WHERE id = ' . $id;

While addslashes() has been used, the script fails properly sanitize the input as there is no trailing quotation mark. This could be exploited using the following SQL injection string to load the /etc/passwd file:

Source: http://hakipedia.com/index.php/SQL_Injection#Char.28.29

Author by

roo

Head of IT at rent.com.au

Updated on October 19, 2022