I believe mysql_real_escape_string()mysqli_real_escape_string()is the best way to escape input data

我相信mysql_real_escape_string()mysql i_real_escape_string()是转义输入数据的最佳方式

Later edit since everything is deprecated now and information must be valid:

稍后编辑，因为现在一切都已弃用并且信息必须有效：

Try to use PDOas prepared statements are much safer or mysqli_*() functionsif you really need to keep old code somewhat up-to-date.

如果您确实需要使旧代码保持最新，请尝试使用PDO作为准备好的语句或mysqli_*() 函数更安全。

Currently the most preferred way to insure your safety is prepared statements.

目前，确保您的安全的最优选方式是准备好的声明。

example:

例子：

$preparedStatement = $db->prepare('SELECT * FROM memebers WHERE username = :username');

$preparedStatement->execute(array(':username' => $username));

$rows = $preparedStatement->fetchAll();

then when displaying your data use htmlspecialchars()

然后在显示您的数据时使用 htmlspecialchars()

validMySQL($var) {
$var=stripslashes($var);
$var=htmlentities($var);
$var=strip_tags($var);
$var=mysql_real_escape_string($var);
return $var
}

The above code helps to sanitize most invalid data, just remember that you've to be connected to mysql database for mysql_real_escape_string to work...

上面的代码有助于清理大多数无效数据，请记住，您必须连接到 mysql 数据库才能使 mysql_real_escape_string 工作...