To make an SQL Injection work, the first step, obviously, is to identify it. To do that,
the attacker must first establish some sort of indication regarding errors in the
system. Although the error messages themselves are not being displayed, the
application should still have some capability of separating right (a valid request) from
wrong (an invalid request), and the attacker easily learns to identify these indications,
find the errors and identify whether they are SQL related or not.