Simple, a SQL injection attack in as few characters as possible. Note, I'm not trying to prevent SQL injection attacks by limiting inputs to a certain size, but rather am genuinely curious how many characters is needed to execute even the simplest attack.
For posterity sake, let's say the smallest table name is 4 characters, e.g., "user". Please factor that in.
1 Character is the smallest unit that you have control over. The question depends heavily on what you're doing. For instance, if you're dealing with an interface to delete your profile from a site, and you send '%' instead of your name:
"Delete from Users where name like '"+username+"'"
then setting your username to % will delete all the users.