mysql injection damages?

Question

I Just noticed that my mysql_real_escape_string function is not inside a \'\' in some of my php scripts and it was vulnerable to injections and things like

Answer 1

If you have anything like admin panel you should check for webshells and other backdoor-like tools on your server, because attacker could easily read your credentials from appropriate table. And, ofcourse, look for any changes in your pages (look for iframes and suspicious JS code).

Worst case scenario is executing INTO OUTFILE in writeable directory and then accesing it via local include or directly.

But, first of all, before worrying you should consider this as most common automated sql-injection checkers (bots you might say) and if you don't see any damage - mose probably there was no intrusion. But be careful - most intruders nowadays don't look for any visible damage, most probably they will inject some malicious code in your pages (like iframes with their exploits).

So, don't be too paranoid, but still cautious :)