mysql_real_escape_string()
So if the SQL statement is written like this: "select * from cdr where src = ".$userId;" it must be changed to $userId=mysql_real_escape_string($userId)
All statements with printing such as echo, print Use htmlentities() to filter before printing to prevent Xss. Note that in Chinese, htmlentities($name,ENT_NOQUOTES,GB2312) must be written.
The above introduces two simple methods to prevent SQL injection and XSS attacks in PHP, including preventing SQL injection. I hope it will be helpful to friends who are interested in PHP tutorials.
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
