mysqli_real_escape_string() 要求，您需要与数据库建立活动/已建立的连接.由于在连接之前正在执行m_r_e_s()调用，因此只需返回布尔FALSE即可表示失败.因此，您正在浪费您的引用"值.

mysqli_real_escape_string() REQUIRES you to have an active/established connection to the DB. Since you're doing the m_r_e_s() call BEFORE you connect, you'll simply get back boolean FALSE to signify failure. So you're trashing your "quoted" values.

插入字符串中的布尔假值只会转换为空字符串，因此您的查询开始看起来像

Boolean false values inserted into a string just get converted into empty strings, so your queries start looking like

SELECT ... WHERE username=''
                           ^---see the boolean false in there?

您的代码顺序应为:

session_start();
connect_to_db();
prepare_variables();
do_query();

并且由于您使用的是mysqli，为什么仍要手动转义变量?您可以只使用准备好的语句+占位符，然后完全绕开问题.

And since you're using mysqli, why are you manually escaping variables anyways? You could just use a prepared statement + placeholders and bypass the problem entirely.