The Test Data Inputs are 1) ' (Single quote) 2) '1'='1 3) we can pass the same i/p's as query in the form of SELECT*FROM users WHERE name =''OR'1'='1'; (If the text field accepts that much characters) 4) statement ="SELECT * FROM users WHERE name = '"+ userName +"';"
trying to pass those inputs as a security tester try to catch the Table
Name and Attributes(fields) if so you can play with refined Data
attributes and find out more Security issues by SQL Injection.
First try to catch in the order Database Name->Table Name->Attributes->Data Types