The function mysql_real_escape_string() is used to add a \ in front of "dangerous characters" like single quote.

From ha.ckers.com:

<Evading escapes with backslashes (this assumes the application comments out a single quote with another single quote and by introducing a backslash before it, it comments out the singlequote that is added by the filter). This type of filter is applied by mySQL's mysql_real_escape_string()>

With an sql injection example:

\';

Using the follwing example it possible to get an error message because you end the statement but I wasnt able to create a correct one (blind sql)

admin\' or \'1\'=\'1


Gives me the follwing error:

Error Executing Database Query.
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\''1\''=\''1' and password = 'IyVeVEwK' and extranetuser =' at line 3

Any idee how I could make it works?

Can't you simply use

admin\' or INJECT_HERE_WHAT_YOU_WANT_BUT_DONT_USE_QUOTES -- foo

?

No because I only add one quote so there are a impair number of quote into the sentence.

For example if we have something like:

"Select * from users where username='" + $username + "' and hash(" + $password + ")"

There are 2 singles quotes into the querry, if you add \' admin you will get three and get a sql error before it is processed.

admin\' ; -- doen't work neither

admin\' ; --

become

admin\'' or 1=1 --

the first quote is escaped and the second one delimits the string so after that you can inject what you want. Seems reasonable to me. Maybe it's a multi-line query so the -- comment doesn't work.