////MYSQL Statement////
$sql = $mysql_conn->prepare("UPDATE table SET columnname = ? WHERE id = ?";
$sql->execute(array($new_value,$id));
////SQL Statment////
$client_select = array($select);
$tsql1 = "SELECT * FROM customertable where id = ?";
$result1 = sqlsrv_query($conn, $tsql1,$client_select);
$row1 = sqlsrv_fetch_array($result1, SQLSRV_FETCH_ASSOC);
如果是这样,有人可以详细说明为什么 MYSQL 比以下更安全:
$sql = mysql_query("select * from customers where id='$id'");
$sql = mysql_fetch_assoc($sql);