i founded this as some user try to put it in my sql
but using mysql_real_escape_string it actully save my website ..
i just want to ask what this code exactly do .. thanks alot ;)
(select(@) from (select (@:=0x00),(select (@) from (TABLE) where (@) in (@:=concat(@,0x0a,col1,0x3a,col2,0x3a,col3))))a)
In an isolated test environment, execute it against a clean database and see what it does. It would also help to see what a normal sql statement looks like so it can be compared with the malicious version. As a side note, use prepared statements to prevent sql injection situations.
Always constrain input. Validate all input to your apps for type, length, format, and range.