What is the smallest possible SQL injection attack character sequence?

Simple, a SQL injection attack in as few characters as possible. Note, I'm not trying to prevent SQL injection attacks by limiting inputs to a certain size, but rather am genuinely curi开发者_Python百科ous how many characters is needed to execute even the simplest attack.

For posterity sake, let's say the smallest table name is 4 characters, e.g., "user". Please factor that in.

1 Character is the smallest unit that you have control over. The question depends heavily on what you're doing. For instance, if you're dealing with an interface to delete your profile from a site, and you send '%' instead of your name:

"Delete from Users where name like '"+username+"'"

then setting your username to % will delete all the users.

When injecting into a string literal:

';drop database;--

Suppose the query was generated like this

"Select * from user where userid = " + myVar 

1; delete from user;

how about this one:

' OR 1=1 --