David Litchfield published the paper Data-mining with SQL Injection and Inference (more NISR papers). From the abstract: When drilling for data via SQL injection there are three classes of attack – inband, out-of-band and the relatively unknown inference attack. Inband attacks extract data over the same channel between the client and the web server, for example, results are embedded in a web page via a union select. Out-of-band attacks employ a different communications channel to drill for data by using database mail or HTTP functions for example. Inference attacks stand alone in the fact that no actual data is transferred – rather, a difference in the way an application behaves can allow an attacker to infer the value of the data.