The only protection MySQL has against the case you show is that by default, MySQL's query interface doesn't execute multiple statements. Separating statements by
; will only result in a syntax error.
However, multi-query is an option, and depending on the client, the option may have been enabled.
PDO enables multi-query by default. I can run the following and it will insert two rows:
$pdo->query("insert into foo set id = 1; insert into foo set id = 2");
However, if you try to use prepared statements (disabling emulated prepare), it fails:
$pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false); $stmt = $pdo->prepare("insert into foo set id = ?; insert into foo set id = ?");
This throws an exception if you enabled exceptions:
PHP Fatal error: Uncaught PDOException: SQLSTATE: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'insert into foo set id = ?' at line 1
Mysqli enables multi-query only for queries you execute with the mysqli_multi_query() function. So if you don't use multi_query() in your code, you're safe.
Furthermore, if you do use query parameters (I saw your comment that you do use query parameters), you're also safe, because even if the parameter were to contain any attempt to fool the query, it won't work.
Parameters are not simply concatenated into the SQL query when you use prepared statements. This is a misunderstanding many developers have.
Parameters are kept separate from the SQL syntax until after the SQL is parsed. Then the parameter is combined as MySQL executes the query, but it's too late for any attempted SQL injection to modify the way the query will be parsed.
That's why query parameters are a good method of protecting your app from SQL injection.