URL encoding and decoding question

This is an example from a book I’ve read, but I don’t understand how it works.

A web admin may attempt to block SQL injections by blocking input containing the apostrophe character.

However, an input containing double encoding may be able to defeat the filter.

eg : %2527

Why is this so ? The book stated that %2527 will become %27 after decoding it. What’s the process behind it ?

If the filter blocks the apostrophe character, %2527 should become 27 ? As %25 represents an apostrophe.

Guidance is appreciated.

Hi Grimaden, welcome to the forums

No, %25 represents %
%27 represnts ’

Don’t rely upon character replacement for sql injection defenses. Parameterize your queries and if that isn’t possible at least use the native escape functions.

Oops my bad. In this case, since it blocks apostrophe ( %27) , it removes the ‘25’ which is actually represents % (%25) instead to nullify the apostrophe which gives the result of %27 ?

@wwb_99 : Thanks for the advice.


' is a good replacement for apostrophes but mysqli_real_escape_string will also “correct” other troublesome characters.