PHP SQL injection prevention without parameter binding [duplicate]

Answer 1

The basic idea to prevent SQL injections (if not using Prepared Statements) is to escape your data.

When you inject some expected integer value into an SQL query, make sure it's an integer, using intval().

When you have a decimal/numeric field in your table, use floatval().

And when you have a string (char, varchar, text) field in your table, use the function provided by your API to escape strings :

• mysql_real_escape_string()
• mysqli_real_escape_string()
• PDO::quote()