如果您使用 PDO，则不应使用 mysql_real_escape_string.PDO 库有一个非常强大的 SQL 占位符方法 做得更好.

If you're using PDO, you should not be using mysql_real_escape_string. The PDO library has a very robust SQL placeholder method that does a much better job.

$STH = $dbh->query("SELECT * FROM tblusers WHERE username = :username");
$STH->bindParam(':username', $username);
$STH->setFetchMode(PDO::FETCH_ASSOC);  
$result = $STH->fetch();