在另一个问题中有一条评论,内容如下:
"When it comes to database queries, always try and use prepared parameterised queries. The mysqli and PDO libraries support this. This is infinitely safer than using escaping functions such as mysql_real_escape_string."
所以,我想问的是:为什么准备好的参数化查询更安全?