Partial sanitizing may affect any or more (unlisted here) of the following important syntax characters and result in them being encoded in some fashion, escaped, or removed entirely. In many circumstances, it is possible to craft injection queries without syntax characters, resulting in filter bypass and sometimes IDS evasion.
- The space character (or all whitespace)
- Jump to sql injection without whitespace
- The single quote and double quote characters: ', "
- Jump to sql injection without quotes
- The tag or "equals" comparative operators: <, >, and =
- Jump to sql injection without tags
- The comma character: ,
- Jump to sql injection without commas
- The parenthesis characters: ( and )