我想保护数据库免受SQL注入。如何在此代码中使用PDO或mysqli mysql_real_escape_string。我的PHP版本是5.6.36
public function LoginUser($email, $password)
{
/*
* echo $password= addslashes("$password"); die;
*/
$sql = "SELECT ref,firstname,contact,email,parent_id FROM `pro` where passe=password('$password') and email='$email' "; // or login='$email'
$result = mysql_query($sql);
return $data = mysql_fetch_assoc($result);
}