Is this an SQL injection attack? If so, what's it trying to do?

I'm seeing a number of entries in my access log where 'A=0 is added to a query parameter, eg:

http://www.server.org/foo/?bar=1'A=0&type=xml

The parameter that 'A=0 is attached to varies, but it's always 'A=0, so it seems unlikely that this is some accidentally malformed URL being clicked on. Also, the referer is always the same as the target URL, which makes me think it's a wholly manufactured request.

What I don't get is what this is intended to do. Assuming it's an SQL injection attempt, it seems like it would generate invalid SQL and simply fail. Is there something I'm missing?


It's a bit of a blunt instrument, intended to "probe" poorly-written sites, i.e. those vulnerable to SQL Injection attacks and with poor error-handling.

$user = $_GET[ 'bar' ] ; // "1'A=0" 
$sql = "select * from users where username = '$user'" ; // literally '1'A=0' 

Such sites will throw an error at this and, more than likely, display the whole error message for all the World, and the attacker, to see. The wording of that error will, most likely, be DBMS specific.
So, one dodgy request like this and Bingo! Your attacker now knows what DBMS you're running and can reach for their favourite "Attack Vector Playbook" to start breaking into that.