consulting | development | marketing

SQL injection attack/attempt test page

If you reached this page, you have tried the SQL injection attack attempt without passing the malicious SQL statement as query parameter.

Try it again by clicking here instead (this will display a custom error message including the translated SQL statement — similar to the output we display when we receive such a request. Don't worry, you will not be reported). Almost 100% of the attack attempts we are seeing try to load code from (It's not an active link, access at your own risk).

    This page is meant to test against suspicious Query Parameters and react accordingly:
  • Prevent further execution of the code and prevent serving of the requested page
  • Decode the SQL statement and output a warning message
  • Write an entry in a DB table, logging time, IP, and statement
  • Send an admin email with the above information

Translate your code below

It seems like a lot of people are lost when it comes to translating/decoding the hexadecimal value of the SQL statement.
Copy and paste the whole request from your logfile - the request might look like this:


in the field below and we will try to decode it for you (we did our best but it might or might not work for everyone, especially since the statements are likely to change):

If the above tool doesn't provide you with a valid translation (there are many reasons why this can happen), email us the code you see in your access log and we will be happy to try and translate it for you manually and email it back to you.

The tool only decodes hex-encoded statements. URL-encoded or otherwise encoded strings will be disregarded.

Related blog postings

SQL injection attempts: no end in sight?

SQL injection attack attemps: Part 2: Answers

SQL injection attacks: Part 3: Securing your forms and preventing SQL injection attempts (PHP/MySQL)

SQL injection attacks: Part 4: What the JavaScript does