[bryanlarsen]

You want something that modifies so that you can detect that the SQL executed. But an INSERT would be a much friendlier than a DROP TABLE. :)

[efriese]

Not necessarily. If you do a test with good SQL and a second test with SQL Injection and compare the responses that can show SQL Injection exists without having to change the database. This won't work for all SQL injection tests, but I would rather take this approach first.