Feature request: decode SQL char()

[GoogleCodeExporter]

Is it possible to add a function in SQL menu that reverts all calls to char(xx) 
by the ascii value ?

Thank you.

Original issue reported on code.google.com by aurelien...@gmail.com on 28 Sep 2010 at 11:52

[GoogleCodeExporter]

Please, explain better why will you want to revert CHAR function. I can't see 
the point for this feature.

Original comment by pedlag...@gmail.com on 28 Sep 2010 at 2:42

• Changed state: WontFix
• Added labels: Priority-Low, Type-Enhancement
• Removed labels: Priority-Medium, Type-Defect

[GoogleCodeExporter]

In fact I have in the servers logs some attempts to make SQL injection. I use 
the Hackbar to understand what they try to do.

e.g.:
id=1'%20And%20(Select%20Top%201%20char(124)%2BCast([file]%20as%20varchar(8000))%
2Bsubdirectory%2Bchar(124)%20From%20(Select%20Top%20106%20[subdirectory],[file]%
20From%20D99_Tmp%20ORDER%20BY%20

I use Encoding => URL decode to decode the %XX 
=> result :
id=1' And (Select Top 1 char(124)+Cast([file] as 
varchar(8000))+subdirectory+char(124) From (Select Top 106 
[subdirectory],[file] From D99_Tmp ORDER BY 

I just need a function to avoid to convert manually every char(124) by the 
ascii value.

Thanks

Original comment by aurelien...@gmail.com on 28 Sep 2010 at 3:42

[GoogleCodeExporter]

Hi Aurelien,

This is a very specific use of HackBar and it's not intend to be used this way. 
The objetive of this tool is to provide an easy way to pentest not for forensic 
analysis.

Anyway, I'm planning to implement an int to ASCII conversion as we already have 
for hex to ASCII.

Original comment by pedlag...@gmail.com on 29 Sep 2010 at 8:21