Most of SQL injection examples use the ;DROP TABLE students
payload which is not even a thing in many software setups. This is just an example.
You are making a very common mistake, confusing an injection (a possibility to inject an unwanted code into the SQL query) with an exploit (the actual payload to be injected with a purpose of breaking into a system).
That’s two completely different matters.
So, an injection is just a possibility. And it is irrelevant to any characters. Once injection is there, then an infinite number of exploits possible, all depends on the situation. Some of them will require anything but ‘ and \ symbols and some will need them.
What takeaway you can make from the statements above? One should protect from injections, not exploits. Fighting characters is a losing game. Fight the possibility.
Once an application is not protected from injections, it will be hacked, with one exploit or another, using one character or another. But once it is protected, it is protected from all exploits at once, no matter which character used.
solved Will sql injection works if ‘ ” \ are filtered