http://stackoverflow.com/questions/5877892/php-and-mysql-single-quote-or-double-quote
方法一:
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
mysql_real_escape_string($user),
mysql_real_escape_string($password));
方法二:
$dbh = new PDO('mysql:dbname=your_database;host=your_host', $user, $password);
$stmt = $dbh->prepare('SELECT * FROM users WHERE user = :username AND password = :password');
$stmt->execute(array('username' => $user, 'password' => $password));
Why you should be using php's PDO for database access