What do I need to escape when sending a query?

Question

When you execute a SQL query, you have to clean your strings or users can execute malicious SQL on your website.

I usually just have a function escape_string(blah),

Answer 1

I am not sure if MySql supports parameterized queries, if so, you should make an effort to go this route. This will ensure the users input can't do anything malicious.

Otherwise some "bad" characters in addition to what you mentioned would be semicolon (;) and comments (-- and /* */).