Hello Gus I have some an application that is vulnerable to sql injecion ...

For example, if that was the link

http://www.test.com/audioalbumdetails/58+order+by+1/*

I get this error msg
SELECT id,name,content,time FROM nesote_music_comments WHERE status=1 and service_type='music' and service_id='58 order by 1' ORDER BY time desc LIMIT -5,5 ;
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-5,5' at line 1


you see that service_id='58 .. when I try close the single quote .. i.e., like this
58'+order+by+1/*
I get this problem service_id='58\' order by 1' so that I got escape character for the single quote ... and my order by statement between the quotes ... Any ideas how can I bypass this problem and make successful SQLi ?? I also have something strange when I use -- - instead of /* I get no error and the site is working normaly ??? why is that ??

What happens if you add your own backslash before the quote? Does it escape that, too?

Try making the request
http://www.test.com/audioalbumdetails/58\'+order+by+1;--
And see what happens. It's possible the site is using addslashes() to escape ', ", and \. If that's the case, it's possible that the site is still vulnerable. You can read more about it here:

http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string