hello,
here is an example... you can find it on php.net by searching for the mysql_real_escape_string function!!
....
....
$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password');
if(!is_resource($link)) {
echo "Échec de la connexion au serveur\n";
// ... historisation de l'erreur
} else {
// Annule les effets magic_quotes_gpc/magic_quotes_sybase sur ces variables si ON.
if(get_magic_quotes_gpc()) {
$product_name = stripslashes($_POST['product_name']);
$product_description = stripslashes($_POST['product_description']);
} else {
$product_name = $_POST['product_name'];
$product_description = $_POST['product_description'];
}
// Faire une requête sécurisée
$query = sprintf("INSERT INTO products (`name`, `description`, `user_id`) VALUES ('%s', '%s', %d)",
mysql_real_escape_string($product_name, $link),
mysql_real_escape_string($product_description, $link),
$_POST['user_id']); mysql_query($query, $link);
....
....