如何防止PHP中進行SQL注入？ - How can I prevent SQL injection in PHP?

問題：

This post is a Community Wiki . 這篇文章是社區維基 。 Edit existing answers to improve this post. 編輯現有答案以改善此職位。 It is not currently accepting new answers. 它當前不接受新的答案。

If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection , like in the following example: 若是將用戶輸入未經修改地插入到SQL查詢中，則應用程序容易受到SQL注入的攻擊，如如下示例所示：

$unsafe_variable = $_POST['user_input']; 

mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')");

That's because the user can input something like value'); DROP TABLE table;-- 這是由於用戶能夠輸入相似value'); DROP TABLE table;-- value'); DROP TABLE table;-- , and the query becomes: value'); DROP TABLE table;-- ，查詢變爲：

INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--')

What can be done to prevent this from happening? 如何防止這種狀況的發生？

---

解決方案：

參考一： https://stackoom.com/question/FeY/如何防止PHP中進行SQL注入
參考二： https://oldbug.net/q/FeY/How-can-I-prevent-SQL-injection-in-PHP