--- layout: post title: "SQLi workarounds" date: 2013-11-15 16:57:00 +0800 --- If `='sth'` is sanitised, use `LIKE CONCAT(CHAR(115),CHAR(116),CHAR(104))`. If `LIMIT x,y` is sanitised, use `WHERE NOT(column_name IN (value1,value2,...))`.