Preventing sql injection in PHP

SQL injection is generally caused by irregular and loose grammar. The problem occurs in the SQL statement, and the decisive one is quote(’). As follows:
$sql = "delete from table where id ='$id'" ;
Normal submission means deleting a piece of data. If the id submitted is (1 ’ or 1 #), then the sql statement becomes
delete from table where id = '1'or 1 #';
In this case, the entire table will be deleted, causing irreversible results.
Since the problem occurs on quote, just escape it (')

• php provides two functions to use

<code>addslashes(<span>$str</span>)
<span>//建议使用下面的，可以避免出现字符集问题</span>
mysql_real_escape_string(<span>$str</span>,<span>$link</span>)</code>

<code><span>//避免整型数据可能不被sql增加引号，强制在转换后的数据使用引号包裹</span><span><span>function</span><span>(<span>$str</span>)</span>{</span><span>return</span><span>"'"</span>.mysql_real_escape_string(<span>$str</span>,<span>$this</span>->link).<span>"'"</span>;
}</code>

').addClass('pre-numbering').hide(); $(this).addClass('has-numbering').parent().append($numbering); for (i = 1; i ').text(i)); }; $numbering.fadeIn(1700); }); });

The above has introduced the prevention of SQL injection in PHP, including aspects of it. I hope it will be helpful to friends who are interested in PHP tutorials.