If there are two SQL in the same request handler as below:
select count(*) from user where id={$id};
select * from user where id={$id};
As the parameter 'id' is not filtered, so it's possible to do a sql injection. However as two sql return different number of columns, it would always return a sql error 'The used SELECT statements have a different number of columns' when try to use union.
Is it possible to do a successful sql injection in this case?
SQL injection is not the question of whether it can be successfully exploited but whether the intention of an SQL command can be modified. And this is definitely the case here.
As for the exploitability, you can use the boolean-based technique:
123 AND EXISTS (SELECT 1 FROM mysql.user WHERE user='root' AND password LIKE '*235FBD5A943%')
So only if the root’s password hash begins with *235FBD5A943
the whole WHERE
condition is true. With this boolean-based technique (additional condition true or false) you are able to read any accessible information using appropriate string functions.