Simply enter the following into the input fields of a webpage:

a'

Entering the ' character to some web field may cause an error if a SQL injection error exist.

In case of MySQL the result may look like this:

...- You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version
for the right syntax to use near ...

From the error message we can see that MySQL is used as the database. Additionally we may get some information about the field and table names used in the query. This indicates it is vulnerable to SQL Injection attacks.

NOTE: This is not the same as an error reported from the website itself, such as “That is not a valid username”.

Microsoft SQL returns something like:

Microsoft SQL Native Client error '80040e14'
Unclosed quotation mark after the character string ''.
/target.asp, line 9

The character ' is used because this is the character limiter in SQL. With ' you delimit strings and therefore you can test whether the strings are properly escaped in the targeted application or not. If they are not escaped directly you can end any string supplied to the application and add other SQL code after that.

The character ; is used to terminate SQL statements. If you can send the character ; to an application and it is not escaped outside a string (see above) then you can terminate any SQL statement and create a new one which leaves a security breach.