如何将php代码插入数据库？

Question

I'm testing my mysql codes vulnerability.
This is the php injection:

$myvar = "varname";
$x = $_GET['arg'];
eval("\$myvar = \$x;");

Or any other php code, like blow:

<?php mysqli_close($conn); ?>

My purpose is to insert them into DB but don't execute them.
Actualy these codes are gonna inserted into DB from an html input form by a user and I wan to display them for the user.(sth like messaging)
Problem :
The problem is that when I try to insert them into DB it fails, my insert query is this:

mysqli_query($conn,"INSERT INTO table (usr,id,message,date) VALUES ($usr,'$id','$message','$date')");

The codes are in $message .
I also should add this validation function:

function validate($data)
{
    stripslashes($data);
    htmlspecialchars($data);
    htmlentities($data);
    strip_tags($data);
    addslashes($data);
    return($data);
}

Before inserting $message into DB I have validated it by this function validate($message) but even this can't fix the problem.

---

I have searched but there's no results for this question in google!
Any one knows how to insert codes into mysql database?

Answer 1

Escape your input data with a real_escape_string function: http://php.net/manual/en/mysqli.real-escape-string.php

Now you can safely create a legal SQL string that you can use in an SQL statement.

Answer 2

To insert code php in database, following this options : 1. To insert data, use htmlspecialchars. example :

$string = '<?php echo "Hello world"; ?>';
htmlspecialchars($string);

2. Before read/get data, use htmlspecialchars_decode. Example : htmlspecialchars_decode($string);

   Hope this maybe can help you :-)