This might be a stupid question. Or maybe my hacking skills are limited (I don't practice them at all).

Şöyle bir sorgu var:

<?php
$query =<<<eot
    SELECT      table_x.field1,
                table_x.field2,
                table_y.*,
                table_z.field4
    FROM        (
                    SELECT ...
                ) as table_y
    LEFT JOIN   table_x
    ON          table_x.field1 = table_y.field_x
    LEFT JOIN   table_z
    ON          table_z.field1 = table_y.field_z
    WHERE       table_x.field3 = '$something'
    AND         table_z.field4 = '1'
    AND         table_z.field5 = '2'
eot;
?>

I have a lot of other tests on $something before it gets used, like $something = explode(' ',$something); (which later result in a string) none of them intend to prevent injection but they make it hard for the given injection to get as is to the actual query. However, there are ways. We all know how easy it is to replace a space for something else which is still valid..

So, it's not really a problem to make a potentially harmful piece of SQL reach that $something... But is there any way to comment the rest of the original query string if it is multi-line?

I AND table_z.field4 = '1' kullanarak yorum yapabilirsiniz ;-- ama şu AND table_z.field5 = '2' yorum yapamam

Onu kapatma ya da bir şey gibi görünüyordu olmadan multi-satırlı bir yorum /* açmak ve bu nedenle enjeksiyon multi-line sorgu görmezden izin mümkün mü?