To prevent SQL injection in PHP you should always use "prepared statements".
Using PDO :
$stmt = $pdo->prepare('SELECT * FROM users WHERE address = :address ');
$stmt->execute([ 'address ' => $address ]);
foreach ($stmt as $row) {
// Do something with $row
}
Using MySQLi :
$mysqli = new mysqli("database_host_name", "username", "password", "database_name");
$stmt = $mysqli ->prepare('SELECT * FROM users WHERE address = ?');
$stmt->bind_param('s', $address );
$stmt->execute();
$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
// Do something with $row
}