Estimated read time: 1 minutes
We all know the usual problem with sql escaping, there is even a comic about it.
There is an other SQL-related project, sphinx, which is a quite efficient search indexer (especially for whole word search), but it also needs escaping. Given that in sphinx "foo-bar" means "all records containing foo, but not bar", if you really want a single-word "foo-bar", then you need to use "foo\-bar".
And that's the fun part, as the escaping order matters a lot. Basically if you escape mysql first and then just insert the sphinx query, then you just created an injection yourself. ;)
So the final query will look like "foo\\-bar" if you did the escaping in the right order.
It's also notable that the official sphinx php API seems not escaping the ";" char, which is also a bug, as this way you can modify the search query in the way you want.