SQL special characters

New users who have special SQL characters are asking for help. new students are new to php and do not know how to handle post submitted by users on the forum, another problem is whether to display the content in the library directly after SQL query, or display the content in the library after special characters are processed. For the first time, I don't understand this. I hope you guys can talk about SQL special character issues.
I am a beginner in php. I don't know how to handle the post submitted by users on the forum. before receiving the post in the background, you should check the content or directly import it to the database.

Another problem is whether the content in the library is displayed directly to users after SQL queries, or after special characters in the library content are processed.

I don't understand this for the first time. I also hope you guys can talk about how you process this SQL statement and how to process the data in the database and then show it to users?
Thank you! you have a good life!

------ Solution --------------------

Htmlspecialchars ($ content );

Htmlspecialchars_decode (); // decoded before Display
------ Solution --------------------
I know at least two attack methods.
1. SQL injection
There are many solutions. at least we need to escape the single quotation marks of the data submitted by the user. Php has many such functions, such as mysql_escape_string (), htmlspecialchars (), addslashes ()
2. XSS attacks
HTML tags must be strictly escaped for the data submitted by the user to be displayed. Otherwise, if your post contains HTML code, for example, some JS code in script will be executed, and they can steal cookies of normal users, it is more likely to obtain the session id to impersonate a legitimate user and cheat the server. Or, you can use your machine to launch a DDOS attack script against other websites. if it is displayed directly, it will be attacked.
The solution is as described above, but it cannot be decoded using htmlspecialchars_decode ().

These methods are common. if you do not understand them, you can search a large number of examples on google.
------ Solution --------------------
Discussion

I know at least two attack methods.
1. SQL injection
There are many solutions. at least we need to escape the single quotation marks of the data submitted by the user. Php has many such functions, such as mysql_escape_string (), htmlspecialchars (), addslashes ()
2. XSS attacks
HTML tags must be strictly escaped for the data submitted by the user to be displayed. Otherwise, if your post contains HTML code, such as some of the scripts ......

------ Solution --------------------
It is not possible to directly store the data in the database... unless you want to have a variety of strange links and content in your forum in the next two days...
Escape and encoding are common methods...
------ Solution --------------------
Discussion

HTML tags must be strictly escaped for the data submitted by the user to be displayed. Otherwise, if your post contains HTML code, for example, some JS code in script will be executed, and they can steal cookies of normal users, it is more likely to obtain the session id to impersonate a legitimate user and cheat the server. Or, you can use your machine to launch a DDOS attack script against other websites. if it is displayed directly, it will be attacked.
The solution is as described above, but it cannot be decoded using htmlspecialchars_decode ().

------ Solution --------------------
At least escape characters that are ambiguous to the database.
It is much safer to control the portal.
Like firewalls and anti-virus software. The key is anti-virus. Virus detection, slow down