First of all your PHP or HTML page should produce a form that user can interact with. In the most simple form it'd be something like:

首先，您的 PHP 或 HTML 页面应该生成一个用户可以与之交互的表单。以最简单的形式，它会是这样的：

<html>
<body>
 <form method="post" action="yourscript.php">
  <input type="text" name="yourfield">
  <input type="submit" name="youraction" value="save">
 </form>
</body>
</html>

This will give your user a simple form with single input field and 'save' button. After clicking the 'save' button for content will be sent to your 'yourscript.php' using POSTmethod.

这将为您的用户提供一个带有单个输入字段和“保存”按钮的简单表单。单击“保存”按钮后，内容将使用POST方法发送到您的“yourscript.php” 。

yourscript.phpshould implement the following:

yourscript.php应执行以下操作：

1. Accept and process the input from your form.
2. Connect to your MySQL database.
3. Store into the database.

1. 接受并处理表单中的输入。
2. 连接到您的 MySQL 数据库。
3. 存入数据库。

In most simplistic form this would be:

在最简单的形式中，这将是：

<!doctype html>
<html>
 <head>
  <title>Process and store</title>
 </head>
<body>
<?php

// Check that user sent some data to begin with. 
if (isset($_REQUEST['yourfield'])) {

    /* Sanitize input. Trust *nothing* sent by the client.
     * When possible use whitelisting, only allow characters that you know
     * are needed. If username must contain only alphanumeric characters,
     * without puntation, then you should not accept anything else.
     * For more details, see: https://stackoverflow.com/a/10094315
     */
    $yourfield=preg_replace('/[^a-zA-Z0-9\ ]/','',$_REQUEST['yourfield']);

    /* Escape your input: use htmlspecialchars to avoid most obvious XSS attacks.
     * Note: Your application may still be vulnerable to XSS if you use $yourfield
     *       in an attribute without proper quoting.
     * For more details, see: https://stackoverflow.com/a/130323
     */
    $yourfield=htmlspecialchars($yourfield);


} else {
    die('User did not send any data to be saved!');
}


// Define MySQL connection and credentials
$pdo_dsn='mysql:dbname=yourdatabase;host=databasehost.example.com';
$pdo_user='yourdatabaseuser';     
$pdo_password='yourdatabaspassword';  

try {
    // Establish connection to database
    $conn = new PDO($pdo_dsn, $pdo_user, $pdo_password);

    // Throw exceptions in case of error.
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

    // Use prepared statements to mitigate SQL injection attacks.
    // See https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php for more details
    $qry=$conn->prepare('INSERT INTO yourtable (yourcolumn) VALUES (:yourvalue)');

    // Execute the prepared statement using user supplied data.
    $qry->execute(Array(":yourvalue" => $yourfield));

} catch (PDOException $e) {
    echo 'Error: ' . $e->getMessage() . " file: " . $e->getFile() . " line: " . $e->getLine();
    exit;
}
?>
<form method="post">

 <!-- Please note that the quotes around next <?php ... ?> block are important
      to avoid XSS issues with poorly escaped user input. For more details:
      https://stackoverflow.com/a/2894530
  -->
 <input type="text" name="yourfield" value="<?php print $yourfield; ?>">
 <input type="submit" name="youraction" value="save">
</form>

</body>
</html>

Key takeaway here is to use prepared statements to avoid SQL injections attacks.

这里的关键是使用准备好的语句来避免 SQL 注入攻击。