更好的方法是

1. mysqli_query（）


2. PDO :: query（）

1. mysqli_query()
2. PDO::query()

您可以使用下面的功能，但我/我们建议您不要使用该功能，因为 mysql _ * 现在已由社区维护和更新。

you can use the function below but i/we recommended you to not use function since the mysql_* now anymore maintained and updating by community .

仅出于您的了解

 $id = mysql_prep($_POST['id']);


function mysql_prep($value)
{
    $magic_quotes_active = get_magic_quotes_gpc();
    $new_enough_php = function_exists("mysql_real_escape_string"); // i.e. PHP >= v4.3.0
    if ($new_enough_php) { // PHP v4.3.0 or higher
        // undo any magic quote effects so mysql_real_escape_string can do the work
        if ($magic_quotes_active) {
            $value = stripslashes($value);
        }
        $value = mysql_real_escape_string($value);
    } else { // before PHP v4.3.0
        // if magic quotes aren't already on then add slashes manually
        if (!$magic_quotes_active) {
            $value = addslashes($value);
        }
        // if magic quotes are active, then the slashes already exist
    }
    return  $value ;
}

好读

防止PHP中注入SQL的***方法？