php不用pdo防止sql语句注入的方法

function getrepairsql($sql, $replacement, $isreturn = 0)
{
    $count   = substr_count($sql, '?');
    $pattern = array_fill(0, $count, '/\?/');
    foreach ($replacement as $k => $v) {
        if (!is_int($v)) {
            $replacement[$k] = "'" . $v . "'";
        }
    }

    $res = preg_replace($pattern, $replacement, $sql, 1);

    if ($isreturn == 1) {
        return $res;
    } else {
        print_r($res);
        exit();
    }

}

  $sql='select * from aa_copy_copy where id=?';
        $sql=getrepairsql($sql,array($ss),1);

直接用替换法就可以了

如果是数字直接intval()就行了