replaceAll quotes with backslashed quotes -- Is that enough?

Question

I'm using replaceAll to replace single quotes with "\\\\'" per a colleague's suggestion, but I'm pretty sure that's not enough to prevent all SQL injections.

I did some googling and found this: http://wiki.postgresql.org/wiki/8.1.4_et._al._Security_Release_Technical_Info

This explains it for PostgreSQL, but does the replacing not work for all SQL managers? (Like, MySQL, for example?)

Also, I think I understand how the explanation I linked works for single backslash, but does it extend to my situation where I'm using four backslashes?

Please note that I'm not very familiar with databases and how they parse input, but this is my chance to learn more! Any insight would be appreciated.

Edit: I've gotten some really helpful, useful answers. My next question is, what kind of input would break my implementation? That is, if you give me input and I prepend all single quotes with four backslashes, what kind of input would you give me to inject SQL code? While I am convinced that my approach is naive and wrong, maybe some examples would better teach me how easy it is to inject SQL against my "prevention".

Answer 1

No, because what about backslashes? for instance if you turn ' into \' then the input \' will become \\' which is an unescaped single quote and a "character literal" backslash. For mysql there is mysql_real_escape_string() which should exist for every platform because its in the MySQL library bindings.

But there is another problem. And that is if you have no quote marks around the data segment. In php this looks like: $query="select * from user where id=".$_GET[id];

The PoC exploit for this is very simple: http://localhost/vuln.php?id=sleep(10)

Even if you do a mysql_real_escape_string($_GET[id]) its still vulnerable to sqli because the attacker doesn't have to break out of quote marks in order to execute sql. The best solution is Parameterized Queries.