prevent attacks using char() ?

Mar 25, 2010 at 3:18 PM

Hi all,

We've recently seen some attacks that use the SQL CHAR() function to encode the SQL commands, e.g.,


OR 0 IN (SELECT TOP 1 CHAR(60)+CHAR(115)+CHAR(120)+CHAR(102)+CHAR(113)+CHAR(114)+CHAR(110)+CHAR(107)+CHAR(102)+CHAR(62)+COALESCE(CAST(0 AS VARCHAR(8000)),SPACE(0))+CHAR(60)+CHAR(120)+

 [... etc]


We're about to install this ISAPI to try and head it off for a bit while we make the underlying code safer, but I'm wondering:  Has anyone else experienced this type of encoding, and does the Sanitation ISAPI Wildcard work against it?

Thank you ...