There are different controls that can be implemented to avoid SQL injections attacks; the most basic and important is input validation, but sometimes the DBMS by themselves, and some software solutions, create compensatory controls. One usual control is restricting the kinds of queries that can be made by blocking characters using whitelists or blacklists.

In the following example showing the blocking single quotes, all the examples shown before would fail. But, it is possible to continue injecting the SQL statement using something like the following:

SELECT student_name, average FROM students WHERE kardex=HR(109)||CHR(97)||CHR(114)||CHR(99)||CHR(117)||CHR(115)

Here, you continue injecting the string but without using single quotes.

Also, sometimes it is possible that the use of a blacklist blocks some specific statements, such as the common '1 or 1==1--, so, try to use equal result statements for that, for example, ' or 'a' = 'a, which produce the same result.

As in other vulnerabilities described in this book, it is possible to encode the strings entered into the application to avoid some input validation controls; for example, you can use this:

%2553%2545%254c%2545%2543%2554

As testing string and bypass a whitelist. Take advantage of all the possible characters included in the SQL syntax, as comments:

SE/*cosa*/LECT student_name, average FR/*cosa*/OM students WH/*cosa*/ERE kardex=' UNI/*cosa*/ON SEL/*cosa*/ECT @@version,NULL,NULL--

In the preceding statement, the comments avoid words included in a blacklist.