Which is the Best way to prvent SQL injection using PHP [duplicate]

This question already has answers here: How can I prevent SQL injection in PHP? (27 answers) Closed 8 years ago.

Now my query, SP is breaking if i enter

ssds ' " ' sdsd开发者_开发问答s

or just

' " '

this is for mainly search functionality.

Which will be the best way to avoid all possibilities.

eg: str_replace or better ways.. write some function!

---

You didn't mention which DBMS, so I'm assuming MySQL here.

The best way would be to use PDO and/or prepared statements. The next best way would be to use mysql_real_escape_string() if you are using the procedural API.

---

Use a prepared statement to separate your logic (SQL) and your content (whatever your input is). You don't have to worry about all those escape things, you just tell your query that you're input is a string, not SQL code. Guessing mysql:

http://www.php.net/manual/en/mysqli-stmt.prepare.php

quick example:

$stmt->prepare("INSERT INTO table VALUES (?)");
$stmt->bind_param("s", "your'''\\\input goes here");
$stmt->execute();

---

Check out prepared statements in the MySQL manual, in the PHP manual, or this article, before even starting to look at escaping.

It is just too easy to get escapes wrong!

Dw.