是的,总是转义您传递给查询的变量.
更好的是,使用PDO:
<?php
/* Execute a prepared statement by binding PHP variables */
$calories = 150;
$colour = 'red';
$sth = $dbh->prepare('SELECT name, colour, calories
FROM fruit
WHERE calories < :calories AND colour = :colour');
$sth->bindParam(':calories', $calories, PDO::PARAM_INT);
$sth->bindParam(':colour', $colour, PDO::PARAM_STR, 12);
$sth->execute();
?>
这样您就不需要处理转义(除非您有需要特别小心的查询).
但如果你坚持使用MySQL扩展,那么使用mysql_real_escape_string().