What characters have to be escaped to prevent (My)SQL injections?

Question

I\'m using MySQL API\'s function

mysql_real_escape_string()

Based on the documentation, it escapes the following characters:

Answer 1

Blacklisting (identifying bad characters) is never the way to go, if you have any other options.

You need to use a conbination of whitelisting, and more importantly, bound-parameter approaches.

Whilst this particular answer has a PHP focus, it still helps plenty and will help explain that just running a string through a char filter doesn't work in many cases. Please, please see Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?