%22

is an URL-encoded quote mark (") - this is usually due to a malformed link.

For a list of URL-encoded characters, see here:

[w3schools.com...]

It's not just a malformed link when it's a bot appending it to over 1,000 different pages.

In that case, it's just bad programming by the bot owner (not a surprise, they are spammers after all!) - their list of URLs was either parsed eith the end quote (from reading

<a href="[b]/my-page.html"[/b]>

), or they have generated a list of URLs but their regex is defective.

One second .... is there any other data with this query string?

Reason I ask is if you have a query like this

select * from table where field like "%$term"

A quote can do some serious damage.

$term = 'blah%22%20or%201=1%22';

Add those two together,

select * from table where field like "%blah" or 1=1"

And you have a basic mysql injection that displays all records from a given table.

While we've certainly been the vicitm of SQL injection attacks, this time they only appended those characters to the URL.

it may be sending the quote to just test your server responses... See if it is exploitable further..

Encyclo's and Rocknbil's explanations are the most probable causes. If it is only the %22, then it is Encyclo's explanation if there is a lot of other squirrelly stuff then it is more likely to be Rocknbil's explanation

Adding a quick single or double quote to the end of a dynamic URL is the most basic way to test for SQL injection. A page like:

mysite.com/news.php?story=23

will throw an error if the url loaded is as follows(if there is not sufficient input validation):

mysite.com/news.php?story=23'

They are scanning your site for weaknesses my friend. Keep a close eye on it would be my recommendation, and as always, fully sanitize user input.