What is the smallest possible SQL injection attack character sequence?

1 Character is the smallest unit that you have control over. The question depends heavily on what you're doing. For instance, if you're dealing with an interface to delete your profile from a site, and you send '%' instead of your name:

"Delete from Users where name like '"+username+"'"

then setting your username to % will delete all the users.

When injecting into a string literal:

';drop database;--