Wonderful forum, I have an important question:

Does anyone know the best ways to avoid or stop sql injection, I am new in web development and two websites that I created about 5 months ago were hacked, the hosting said it is sql injection, does anyone know about this?

Use parametrized queries. Don't feed info directly to your server, requested from the address bar of the browser.

I usually use a regular expression to make sure that I am removing characters that are invalid. PHP also provides a wide range of utilities for validating and confirming input. There are libraries to validate text, numbers, even e-mail addresses and URLs. In fact, thats all one library, filter_var. This function allows you to verify that the input is valid according to your needs.

Another function that is very underused is mysql_real_escape_string. This function MUST be called on every single variable that you are including in a MySQL query. Even on binary data. Do not use addslashes, or other hacks. This function takes into consideration both the configuration of PHP, as well as the encoding of your database, in determining the best way to escape the given string.

replace ' character for your queries.

replace ' character for your queries.

That's bad advice because some queries are working without any quotes or with double quotes. You still need to sanitize and filter all data defined by user.