SQL Injection

I wrote SqlEscape() (a simplified version based on the php function mysql_real_escape_string() ) as one method to safegard against SQL Injection attacks.

I can't find any way to enter a string that would result in a destructive query or returning multiple records. Can You?

Everything I try would result in a query error. If you think of one please let me know. Ray Yates

Of course I would never actually use a query like this without fully qualifying the input, and neigher should you.

Can you hack the query?

'SELECT * FROM Contacts WHERE lname = \'' $ string $ '\''

Enter a value for string:

Here is the function


<MvFUNCTION NAME="SqlEscape" PARAMETERS="string " STANDARDOUTPUTLEVEL="">
    <MvCOMMENT> MysqlEscape() \x00, \n, \r, \x1a, ", ', ;, and \ . </MvCOMMENT>
    <MvFUNCRETURN VALUE="{ glosub(glosub(glosub(glosub(glosub(glosub(glosub(glosub(l.string
    ,asciichar(92),asciichar(92) $ asciichar(92))
    ,asciichar(0),asciichar(92) $ asciichar(0))
    ,asciichar(10),asciichar(92) $ asciichar(10))
    ,asciichar(13),asciichar(92) $ asciichar(13))
    ,asciichar(26),asciichar(92) $ asciichar(26))
    ,asciichar(34),asciichar(92) $ asciichar(34))
    ,asciichar(39),asciichar(92) $ asciichar(39))
    ,';',asciichar(92) $ ';')
    }">
</MvFUNCTION>