I do hackin courses, and in one of the lessons I have a possible SQLi, but in the source code, there is an if clause just before the SQL statement, which filters the quote symbol:
user = "user" pass = "pass" if "& # 39;" in user + password: print "error" other db.execute ("select * from users where username ="% s "and password ="% s "% (user name, password))
So, when I try to inyect in one of the fields "asdf" or "1" = "1", the if clause stops. I've tried to encode the quotation mark symbol into different encodings (hex, base64, html, etc.), but that still does not work.
PD: The code is written in Python