Use PDO
and prepared queries.
($conn
is a PDO
object)
$stmt = $conn->prepare("INSERT INTO tbl VALUES(:id, :name)");
$stmt->bindValue(':id', $id);
$stmt->bindValue(':name', $name);
$stmt->execute();
Along with PDO and Prepared queries, make sure that all input variables must be sanitized properly with trim() and strip_tags() as mentioned here.