如何防止PHP中进行SQL注入？ - How can I prevent SQL injection in PHP?

问题：

This post is a Community Wiki . 这篇文章是社区维基 。 Edit existing answers to improve this post. 编辑现有答案以改善此职位。 It is not currently accepting new answers. 它当前不接受新的答案。

If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection , like in the following example: 若是将用户输入未经修改地插入到SQL查询中，则应用程序容易受到SQL注入的攻击，如如下示例所示：

$unsafe_variable = $_POST['user_input']; 

mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')");

That's because the user can input something like value'); DROP TABLE table;-- 这是由于用户能够输入相似value'); DROP TABLE table;-- value'); DROP TABLE table;-- , and the query becomes: value'); DROP TABLE table;-- ，查询变为：

INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--')

What can be done to prevent this from happening? 如何防止这种状况的发生？

---

解决方案：

参考一： https://stackoom.com/question/FeY/如何防止PHP中进行SQL注入
参考二： https://oldbug.net/q/FeY/How-can-I-prevent-SQL-injection-in-PHP