Whenever I find a SQL injection vulnerability I always throw sqlmap at the injection point. It’s a simple, easy to use tools that will not only prove the vulnerability but allow you to extract data, gain command execution, and generally push further on with your penetration test. If I come across a filter or a web application firewall then I’ll habitually break out Burp Suite and start working on filter evasion manually, however there’s often a simpler way.
Sometimes when I’m chatting to security engineers and developers I hear them say that the only characters you need to encode (or strip) are < and >. This often comes around due to .Net’s security filter which restricts any alpha-character from appearing after a < character. This filter prevents a lot of XSS attacks but it’s definitely not complete.