I know that the best way to avoid SQL injection attacks is to use parameterized queries or preparedStatements in Java because there would be no string parsing that be misdirected.
However, I have an application that is 12 years old and it is just not worth the effort to re-architect the app so I can eliminate all the string concatenation.
I have seen that MySQL has a function mysql_real_escape_string()
that escapes 7 different characters:
mysql_real_escape_string() calls MySQL's library function 3. mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.
So, I am wondering if that should be enough to prevent SQL injection attacks?