I understand that you simply cure all the stuff with mysql_real_escape_string() (with htmlspecialchars()), but I wish to be aware of symbols that create all of this mess everybody really wants to eliminate?

The one thing here's, that people here needed to transfer an internet site not built by us in one host to a different.

It's been coded from ground-up, to make use of php's now deprecated and not family member - miracle_quotes.

Following the host change there has been php.ini changes also, we experienced lots of unpredicted results. We do not get access to php.ini, there's no user.ini (5.2.x) and also the host it's not responsive enough make it possible for us additional features. There's an issue with hosts within Latvia, a significant one.

But yeah, that's off-subject already. I only desire to know, which symbols are the type that without any getting away, no miracle quotes with no protection can cause all of this mess?

Plus, there have been error when text contained things like - /ls which resembles UNIX (the host OS) directory listing command - Method Not Implemented.

Also it appears like the web site interacts with database in CLI atmosphere, hence the /ls problem. And I wish to make sure if you input something that begins with / and follows UNIX command- "Method Not Implemented" errors pops up.

P.S. I am not searching for an answer, I have already fixed the mistake. Would like to be aware of symbols.

Update to clarify

1) By writing the question, I had been calling CLI what looks to become socket call- unix-domain / TCP. Live and learn!

2) Should you browse the question fully, you'll notice that I am fixing bugs/holes left out other designers. Sine we required over this clients IT maintenance, they wanted us to consider over the website too.

3) Simply because they have compensated lots of money for current website, they don't wish to pay much more for a replacement on the more recent, better built system.

4) The bond line within the scripts is - $this->db = DB::connect('mysql://'._DB_USER.':'._DB_PASS.'@'._DB_HOST.'/'._DB_Title.'') - unix-domain I suppose.

In the PHP Manual:

mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes towards the following figures: x00, n, r, , ', " and x1a.

Each DB may have its very own metacharacters as extensions to standard SQL syntax. Many will use -- for comments, some use c-style /* */, etc... Each DB features its own getting away needs, and that's why there's a getaway function for each DB key in PHP. The things that work for MySQL might be completely useless for (say) Oracle.

The only real "definitive" listing of figures would be the ones indexed by the SQL standards. But only using individuals in your custom escape function could be useless, since it will not range from the DB-specific non-standard metacharacters the DB knows.