You should use PDO Prepare

你应该使用PDO Prepare

From the link:

从链接：

Calling PDO::prepare() and PDOStatement::execute() for statements that will be issued multiple times with different parameter values optimizes the performance of your application by allowing the driver to negotiate client and/or server side caching of the query plan and meta information, and helps to prevent SQL injection attacks by eliminating the need to manually quote the parameters.

为将使用不同参数值多次发出的语句调用 PDO::prepare() 和 PDOStatement::execute() 可通过允许驱动程序协商查询计划的客户端和/或服务器端缓存来优化应用程序的性能并元信息，并通过消除手动引用参数的需要来帮助防止 SQL 注入攻击。

PDO offers an alternative designed to replace mysql_escape_string()with the PDO::quote()method.

PDO 提供了一种替代方案，旨在用PDO::quote()方法替换mysql_escape_string()。

Here is an excerpt from the PHP website:

以下是 PHP 网站的摘录：

<?php
    $conn = new PDO('sqlite:/home/lynn/music.sql3');

    /* Simple string */
    $string = 'Nice';
    print "Unquoted string: $string\n";
    print "Quoted string: " . $conn->quote($string) . "\n";
?>

The above code will output:

上面的代码会输出：

Unquoted string: Nice
Quoted string: 'Nice'

Use prepared statements. Those keep the data and syntax apart, which removes the need for escaping MySQL data. See e.g. this tutorial.

使用准备好的语句。这些将数据和语法分开，从而消除了对 MySQL 数据进行转义的需要。参见例如本教程。