/blind-bool · sink: string-concatenated SELECT (no error reflection)
Product lookup leaks only existence. No errors, no reflection.
Query: SELECT name, description FROM products WHERE id=<input>. Try ?id=1 AND SUBSTRING((SELECT value FROM secrets WHERE name='sqli-blind-bool'),1,1)='V'. If the page shows product 1, the char is V; otherwise it's not. Walk character by character.