考虑使用参数化查询使用 PDO 例如.

Consider using Parameterized Queries using PDO for example.

或者，将变量括在括号 { } 中.

Alternately, enclose your variables in brackets { }.

我错过了您的变量 $subject 包含 单引号.这意味着你必须逃避它们.(请参阅无数其他答案和 mysql_real_escape_string() 关于此.)但是正如您所看到的，变量中的单引号正是注入攻击的工作方式.转义它们有助于防止此类问题，并允许您的查询存储预期的数据.

I missed that your variable $subject contains single quotes. This means you have to escape them. (See the myriad of other answers and mysql_real_escape_string() about this.) But as you can see, single quotes inside the variable is exactly how injection attacks work. Escaping them helps prevent such problems as well as allow your query to store the expected data.

如果不参考 Bobby Tables，关于注入攻击的答案是不完整的.

No answer about injection attacks is complete without referencing Bobby Tables.