The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

It is very common for applications to seek to defend themselves against SQL

injection by escaping any single quotation marks that appear within string-

based user input (and rejecting any that appear within numeric input). As you

have seen, two single quotation marks together are an escape sequence that

represents one literal single quote, which the database will interpret as data

within a quoted string rather than the closing string terminator. Many devel-

opers reason, therefore, that by doubling up any single quotation marks

within user-supplied input, they will prevent any SQL injection attacks from

occurring.

In addition to doubling up quotation marks, some applications perform

other operations in an effort to sanitize potentially malicious input. In this sit-

uation, it may be possible to exploit the ordering of these steps to bypass the

filter, as described in Chapter 2.

Recall the vulnerable login example. Suppose that the application doubles

up any single quotation marks contained in user input, and also then imposes

a length limit on the data, truncating it to 20 characters. Supplying the 

username