I just noticed that my function is mysql_real_escape_stringnot inside '' in some of my php scripts, and it was vulnerable to injections and things like the ones sleep(30)performed on my production site.
I am following the PDO route and following prepared statements after many readings here. but it is not yet implemented.
A few questions I see in my magazines that there are many injections that people make on the Internet, but I do not see any damage. the user who runs the site to execute sql queries has update/select/delete/insertonly privileges.
But I worry about things like sleep(30), and what doesn’t work, and if they did any damage that I don’t see?
Can you tell me where to check for damage, or would I be safe, at least for major losses?
Can they change hidden mysql settings or system settings?
By the way, I tried to run the latest updates on CentOS 6+ linux and php.
thank
edit: just for clarification, the database is almost empty, and I'm not worried about the data there, and the passwords are hashed by sh512. therefore, the data inside is not important, as this is a new application that I am writing. but I'm worried if they changed something on the system or db, which I have to worry about. some of the injections that I see have java, etc., but the log is huge and it will take time. I also see some lines of the circuit in injections.
Now the question is, can they read my circuit information or change them? why do functions like sleep work if it is a limited user? what other functions could they run?
note I have other databases in the same MySQL. Should I worry about them?
by '' I mean: select * from dbname, where id = scaped_string I had to put it in quotation marks