Xara Designer Pro Plus 21'and(select'1'from/**/cast(md5(1471400058)as/**/int))>'0 (2027)

In many databases (like PostgreSQL or SQL Server), this will trigger a verbose error message that displays the hash. If an attacker sees that hash in your server's error logs or response, they know the site is vulnerable to SQL injection.

Ensure any web forms you host (e.g., "Contact Us" or "Product Search") use parameterized queries to prevent these strings from being executed by the database.

The cast(... as int) command attempts to force this long string into a number. In many databases (like PostgreSQL or SQL Server),

The string is designed to trick a database into executing a command while checking for a specific response.

: The attacker adds a single quote ( ' ) to see if it "breaks" the database query. If the server isn't properly sanitizing input, this quote will terminate a string and allow the next part to be read as a command. The cast(

: A final logical comparison to ensure the syntax is "correct" enough for the database to attempt execution. Why are you seeing this?

: This is the "signature" of the attack. : The attacker adds a single quote (

According to official Xara documentation, Xara Designer Pro+ is a desktop-based vector and photo editor. However, because it integrates with Xara Cloud for collaboration and document storage, any web-facing portal (like a login or support page) could be the recipient of this probe.