What is the best way to prevent SQL injection using PHP?


This question already has an answer here:

  • How can I prevent SQL injection in PHP? 28 answers

Now my query, SP is breaking if i enter

ssds ' " ' sdsds

or just

' " '

this is for mainly search functionality.

Which will be the best way to avoid all possibilities.

eg: str_replace or better ways.. write some function!

You didn't mention which DBMS, so I'm assuming MySQL here.

The best way would be to use PDO and/or prepared statements. The next best way would be to use mysql_real_escape_string() if you are using the procedural API.