That's good because I have spend a long time searching and not found any realistic example. I have just searched for 'sql injection attack example' and taking the first on the list -
http://unixwiz.net/techtips/sql-injection.html - you find the oft quoted -
By entering anything' OR 'x'='x, the resulting SQL is:
SELECT fieldlist
FROM table
WHERE field = 'anything' OR 'x'='x';
This is nonsense because you can paraphrase it to say
By entering Mike O'Connor, the resulting SQL is:
SELECT fieldlist
FROM table
WHERE field = 'Mike O'Connor'
This isn't an injection attack it is an SQL syntax error.
Therefore you must always double single quotes in strings when the string has been supplied by a user in order to prevent SQL syntax errors. The fact that doing so prevents injection attacks simply a useful byproduct. By doubling single quotes our two examples become
SELECT fieldlist
FROM table
WHERE field = 'Mike O''Connor'
- no syntax error, and
SELECT fieldlist
FROM table
WHERE field = 'anything'' OR ''x''=''x'';'
- no injection attack.
But you're searches must be better than mine so perhaps you would care to share the results with me so that I can see the error of my ways.