SQL injection attacks happen when user input is improperly encoded. Typically, the user input is some data the user sends with her query, i.e. values in the $_GET
, $_POST
, $_COOKIE
, $_REQUEST
, or $_SERVER
arrays. However, user input can also come from a variety of other sources, like sockets, remote websites, files, etc.. Therefore, you should really treat everything but constants (like 'foobar'
) as user input.
In the code you posted, mysql_real_escape_string
is used to encode(=escape) user inputs. The code is therefore correct, i.e. does not allow any SQL injection attacks.
Note that it’s very easy to forget the call to mysql_real_escape_string
– and one time is enough for a skilled attacker! Therefore, you may want to use the modern PDO with prepared statements instead of adodb.