The symbols I should be aware of for SQL injection

Question

I know that you cure all of the stuff with mysql_real_escape_string() (and with htmlspecialchars()), but I want to know the symbols that cause all this

Answer 1

Each DB will have its own metacharacters as extensions to standard SQL syntax. Some will use -- for comments, some use c-style /* */, etc... Each DB has its own escaping requirements, which is why there's an escape function for every DB type in PHP. What works for MySQL may be completely useless for (say) Oracle.

The only "definitive" list of characters will be the ones listed in the SQL standards. But using only those in your own custom escape function would be useless, because it won't include the DB-specific non-standard metacharacters that the DB understands.

Answer 2

From the PHP Manual:

mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.