<?php
$con=mysqli_connect("localhost","my_user","my_password","my_db");

// Check connection
if (mysqli_connect_errno()) {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
}

// escape variables for security
$firstname = mysqli_real_escape_string($con, $_POST['firstname']);
$lastname = mysqli_real_escape_string($con, $_POST['lastname']);
$age = mysqli_real_escape_string($con, $_POST['age']);

$sql="INSERT INTO Persons (FirstName, LastName, Age)
VALUES ('$firstname', '$lastname', '$age')";

if (!mysqli_query($con,$sql)) {
  die('Error: ' . mysqli_error($con));
}
echo "1 record added";

mysqli_close($con);
?>

+https://www.w3schools.com/php/func_mysqli_real_escape_string.asp

php5+
ป้องกัน injection

วิธีอื่น

+https://stackoverflow.com/questions/22304930/is-mysqli-real-escape-string-safe

—

+https://stackoverflow.com/questions/14135932/should-i-use-mysqli-real-escape-string-or-mysql-real-escape-string-for-form

If you connection string is:

mysql_connect()

then use:

mysql_real_escape_string($_POST[''])

If it is:

$mysqli = new mysqli();

then use:

$mysqli->real_escape_string($_POST[''])