In a quite good production application generally you can not see error responses on the page, so you can not extract data through Union attacks or error based attacks. You have to do use Blind SQL Injections attacks to extract data. There are two kind of Blind Sql Injections.

• Normal Blind: You can not see a response in the page, but you can still determine result of a query from response or HTTP status code.
• Totally Blind: You can not see any difference in the output in any kind. This can be an injection a logging function or similar. Not so common, though.

In normal blinds you can use if statements or abuse WHERE query in injection (generally easier).

In totally blinds you need to use some waiting functions and analyze response times. For this you can use BENCHMARK() and sleep(10) in MySQL.

This output taken from a real private Blind SQL Injection tool while exploiting SQL Server back ended application and enumerating table names.