***的选择是使用参数化查询.关于这是如何完成的，您必须查看:

The best option is to use parameterized queries. On how that is done, you must check out:

• SQL 注入缓解:使用参数化查询

在 PHP 中，PDO(和 prepared statements) 允许开发人员使用参数化查询来避免sql注入.

In PHP also, the PDO (and prepared statements) allows developers to use parameterized queries to avoid sql injection.

是的，您可以在 WHERE 子句中指定参数，为此您可以使用 ADODB.Command 对象，如下例所示:

Yes you can specify parameters in WHERE clause and for that you can use ADODB.Command object like below example:

' other connection code
set objCommand = Server.CreateObject("ADODB.Command") 
...

strSql = "SELECT name, info FROM [companies] WHERE name = ?" _ 
    & "AND info = ?;" 
... 
objCommand.Parameters(0).value = strName 
objCommand.Parameters(1).value = strInfo 
...

有关更多信息，请参阅我在上面发布的文章链接，或者如果您愿意，您可能想对该主题进行更多研究.

For more information, see the article link that I have posted above or you may want to research a little more on the topic if you want.