mysql_real_escape_string()
So if the SQL statement is written like this: "select * from cdr where src =".$userId;, it must be changed to $userId=mysql_real_escape_string($userId)
All printing statements such as echo, print, etc. must be filtered using htmlentities() before printing. This can prevent Xss. Note that in Chinese, htmlentities($name,ENT_NOQUOTES,GB2312) must be written.
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
