I am writing an automatic tester for our web application's API. Im trying to break it and expose flaws. So far I am trying:
admin=1)eval("echo 'injection';"); all encoded in % encodingOR 1=1, comments --I'm not really trying to go for stuff like drop tables, I dont want to damage our test environment. All of my attacks are more aimed at printing messages so I know I got around our security without deleting information.
I highly recommend that you don't do this yourself. There are tons of different attack vectors and this could be a full time job for quite a long time. It's not something you bang out over a week or two.
Instead go look at Metasploit. It's an awesome pen testing framework. I guarantee anyone that knows what they are doing when trying to hack a site has this. You may as well use the same tools.
There are a wide variety of automated testers already out there and it probably makes more sense to take advantage of these, as you'll inevitably overlook some aspect of your own code, etc.
In terms of the penetration testing tools, the Penetration testing tools question has a through discussion including software recommendations.
The open source vulnerablity scanner W3AF can scan for the following vulnerabilities that affect PHP applications:
LFI/RFI
LDAPi
SQLi
XSS
OS Command Execution
CRLF injection
Directory Traversal
And many more.