How does sprintf() protect against SQL injection?
up vote
5
down vote
favorite
I have heard that sprintf() protects against SQL injection. Is it true? If so, how?
Why people are recommending to write query like this:
$sql = sprintf('SELECT * FROM TABLE WHERE COL1 = %s AND COL2 = %s',$col1,$col2);
php mysql sql-injection
edited Nov 22 at 1:28
reformed
2,30574465
asked Jul 11 '11 at 6:58
Rukmi Patel
2,04982339
add a comment |
up vote
5
down vote
favorite
I have heard that sprintf() protects against SQL injection. Is it true? If so, how?
Why people are recommending to write query like this:
$sql = sprintf('SELECT * FROM TABLE WHERE COL1 = %s AND COL2 = %s',$col1,$col2);
php mysql sql-injection
edited Nov 22 at 1:28
reformed
2,30574465
asked Jul 11 '11 at 6:58
Rukmi Patel
2,04982339
9
Which people recommend such a thing?
– Tomalak
Jul 11 '11 at 7:00
3
What you probably mean is prepared statements, which is a different topic.
– Gal
Jul 11 '11 at 7:02
add a comment |
up vote
5
down vote
favorite
up vote
5
down vote
favorite
I have heard that sprintf() protects against SQL injection. Is it true? If so, how?
Why people are recommending to write query like this:
$sql = sprintf('SELECT * FROM TABLE WHERE COL1 = %s AND COL2 = %s',$col1,$col2);
php mysql sql-injection
edited Nov 22 at 1:28
reformed
2,30574465
asked Jul 11 '11 at 6:58
Rukmi Patel
2,04982339
I have heard that sprintf() protects against SQL injection. Is it true? If so, how?
Why people are recommending to write query like this:
$sql = sprintf('SELECT * FROM TABLE WHERE COL1 = %s AND COL2 = %s',$col1,$col2);
php mysql sql-injection
php mysql sql-injection
edited Nov 22 at 1:28
reformed
2,30574465
asked Jul 11 '11 at 6:58
Rukmi Patel
2,04982339
edited Nov 22 at 1:28
reformed
2,30574465
asked Jul 11 '11 at 6:58
Rukmi Patel
2,04982339
edited Nov 22 at 1:28
reformed
2,30574465
edited Nov 22 at 1:28
reformed
2,30574465
edited Nov 22 at 1:28
reformed
2,30574465
2,30574465
asked Jul 11 '11 at 6:58
Rukmi Patel
2,04982339
asked Jul 11 '11 at 6:58
Rukmi Patel
2,04982339
asked Jul 11 '11 at 6:58
Rukmi Patel
2,04982339
2,04982339
9
Which people recommend such a thing?
– Tomalak
Jul 11 '11 at 7:00
3
What you probably mean is prepared statements, which is a different topic.
– Gal
Jul 11 '11 at 7:02
add a comment |
9
Which people recommend such a thing?
– Tomalak
Jul 11 '11 at 7:00
3
What you probably mean is prepared statements, which is a different topic.
– Gal
Jul 11 '11 at 7:02
9
9
Which people recommend such a thing?
– Tomalak
Jul 11 '11 at 7:00
Which people recommend such a thing?
– Tomalak
Jul 11 '11 at 7:00
3
3
What you probably mean is prepared statements, which is a different topic.
– Gal
Jul 11 '11 at 7:02
What you probably mean is prepared statements, which is a different topic.
– Gal
Jul 11 '11 at 7:02
add a comment |
4 Answers
4
active
oldest
votes
up vote
9
down vote
accepted
sprintf wont protect! it only replaces the %s
you must mysql_real_escape_string so:
$sql = sprintf('SELECT * FROM TABLE WHERE COL1 = "%s" AND COL2 = "%s"',
mysql_real_escape_string($col1),
mysql_real_escape_string($col2));
is safer injection
note: I sugets you take a look at PDO , that is what I like to use for DBconections and queries
edited Jul 11 '11 at 7:05
Flimzy
36.8k96496
answered Jul 11 '11 at 7:03
beardhatcode
3,1551123
add a comment |
up vote
9
down vote
That doesn't do any protection. Using sprintf makes for more readable code then dropping in and out of a string to run mysql_real_escape_string over each of the variables … but that example doesn't escape the variables at the end so that advantage is lost.
If you want decent protection, use something that provides bound parameters.
answered Jul 11 '11 at 7:01
Quentin
636k718571027
8
+1 formyself_real_escape_string, LOL. :D
– deceze♦
Jul 11 '11 at 7:01
Ooops.stupid_overlong_not_fake_function_namesare too easy to introduce typos to at this time of the morning. :)
– Quentin
Jul 11 '11 at 7:05
add a comment |
up vote
3
down vote
Using sprintf might protect against SQL injection for numeric fields:
$sql = sprintf("SELECT * FROM table WHERE col1 = %i", $col1);
By using sprintf in this way, you can be sure that $col1 will be converted to an integer--although it might generate an error or warning, if it's not truly an integer.
The proper way to protect against SQL injection is to check all of your input values, and do escaping. But that's much more thoroughly covered in other questions, so I'm not going to go into detail here.
answered Jul 11 '11 at 7:04
Flimzy
36.8k96496
But with integers, you'd not have to use special precautions anyway.
– Tomalak
Jul 11 '11 at 7:06
1
Sure you do... What if the user-input "integer" looks like this: "; DROP TABLE users;"?
– Flimzy
Jul 11 '11 at 7:08
Then it's not an integer, very simple. I did not say you could drop type checking.
– Tomalak
Jul 11 '11 at 7:09
1
You said "no special precautions"--I would consider type checking a precaution. In any case, using sprintf is a silly way to try to protect against SQL injection for any data.
– Flimzy
Jul 11 '11 at 7:11
Yes, but I also said "integer", which is something I'd consider an established fact only after type checking - or when I'm dead sure that it cannot be anything else (calculation result, loop variable).
– Tomalak
Jul 11 '11 at 7:12
|
show 1 more comment
up vote
1
down vote
It obviously doesn't and if you've actually read that in a book or tutorial you should automatically discard it for future reference.
However, it can be a practical way to generate output that needs further processing. Please compare:
echo '<p>Hello, <strong></strong>' . htmlspecialchars($name) . ', welcome to ' . htmlspecialchars($place). '</p>';
echo sprintf('<p>Hello, <strong>%s</strong>, welcome to %s</p>',
htmlspecialchars($name),
htmlspecialchars($place)
);
Same applies to other kind of output, such as SQL code, but of course you still need to do something to input in order to make it safe: sprintf() is just a regular string function that's unaware of SQL and databases.
Please note that bind parameters use a similar syntax:
// Fictional DB abstraction layer
$sql = 'SELECT foo_id
FROM foo
WHERE name=:name AND status=:status';
$params = array(
'name' => $name,
'status' => $status,
);
$result = $db->run($sql, $params);
That's why I particularly find easier to use those DB libraries that provide this syntax, such as PDO.
answered Jul 11 '11 at 7:10
Álvaro González
104k30180270
add a comment |
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
9
down vote
accepted
sprintf wont protect! it only replaces the %s
you must mysql_real_escape_string so:
$sql = sprintf('SELECT * FROM TABLE WHERE COL1 = "%s" AND COL2 = "%s"',
mysql_real_escape_string($col1),
mysql_real_escape_string($col2));
is safer injection
note: I sugets you take a look at PDO , that is what I like to use for DBconections and queries
edited Jul 11 '11 at 7:05
Flimzy
36.8k96496
answered Jul 11 '11 at 7:03
beardhatcode
3,1551123
add a comment |
up vote
9
down vote
accepted
sprintf wont protect! it only replaces the %s
you must mysql_real_escape_string so:
$sql = sprintf('SELECT * FROM TABLE WHERE COL1 = "%s" AND COL2 = "%s"',
mysql_real_escape_string($col1),
mysql_real_escape_string($col2));
is safer injection
note: I sugets you take a look at PDO , that is what I like to use for DBconections and queries
edited Jul 11 '11 at 7:05
Flimzy
36.8k96496
answered Jul 11 '11 at 7:03
beardhatcode
3,1551123
add a comment |
up vote
9
down vote
accepted
up vote
9
down vote
accepted
sprintf wont protect! it only replaces the %s
you must mysql_real_escape_string so:
$sql = sprintf('SELECT * FROM TABLE WHERE COL1 = "%s" AND COL2 = "%s"',
mysql_real_escape_string($col1),
mysql_real_escape_string($col2));
is safer injection
note: I sugets you take a look at PDO , that is what I like to use for DBconections and queries
edited Jul 11 '11 at 7:05
Flimzy
36.8k96496
answered Jul 11 '11 at 7:03
beardhatcode
3,1551123
sprintf wont protect! it only replaces the %s
you must mysql_real_escape_string so:
$sql = sprintf('SELECT * FROM TABLE WHERE COL1 = "%s" AND COL2 = "%s"',
mysql_real_escape_string($col1),
mysql_real_escape_string($col2));
is safer injection
note: I sugets you take a look at PDO , that is what I like to use for DBconections and queries
edited Jul 11 '11 at 7:05
Flimzy
36.8k96496
answered Jul 11 '11 at 7:03
beardhatcode
3,1551123
edited Jul 11 '11 at 7:05
Flimzy
36.8k96496
edited Jul 11 '11 at 7:05
Flimzy
36.8k96496
edited Jul 11 '11 at 7:05
Flimzy
36.8k96496
36.8k96496
answered Jul 11 '11 at 7:03
beardhatcode
3,1551123
answered Jul 11 '11 at 7:03
beardhatcode
3,1551123
answered Jul 11 '11 at 7:03
beardhatcode
3,1551123
3,1551123
add a comment |
add a comment |
up vote
9
down vote
That doesn't do any protection. Using sprintf makes for more readable code then dropping in and out of a string to run mysql_real_escape_string over each of the variables … but that example doesn't escape the variables at the end so that advantage is lost.
If you want decent protection, use something that provides bound parameters.
answered Jul 11 '11 at 7:01
Quentin
636k718571027
8
+1 formyself_real_escape_string, LOL. :D
– deceze♦
Jul 11 '11 at 7:01
Ooops.stupid_overlong_not_fake_function_namesare too easy to introduce typos to at this time of the morning. :)
– Quentin
Jul 11 '11 at 7:05
add a comment |
up vote
9
down vote
That doesn't do any protection. Using sprintf makes for more readable code then dropping in and out of a string to run mysql_real_escape_string over each of the variables … but that example doesn't escape the variables at the end so that advantage is lost.
If you want decent protection, use something that provides bound parameters.
answered Jul 11 '11 at 7:01
Quentin
636k718571027
8
+1 formyself_real_escape_string, LOL. :D
– deceze♦
Jul 11 '11 at 7:01
Ooops.stupid_overlong_not_fake_function_namesare too easy to introduce typos to at this time of the morning. :)
– Quentin
Jul 11 '11 at 7:05
add a comment |
up vote
9
down vote
up vote
9
down vote
That doesn't do any protection. Using sprintf makes for more readable code then dropping in and out of a string to run mysql_real_escape_string over each of the variables … but that example doesn't escape the variables at the end so that advantage is lost.
If you want decent protection, use something that provides bound parameters.
answered Jul 11 '11 at 7:01
Quentin
636k718571027
That doesn't do any protection. Using sprintf makes for more readable code then dropping in and out of a string to run mysql_real_escape_string over each of the variables … but that example doesn't escape the variables at the end so that advantage is lost.
If you want decent protection, use something that provides bound parameters.
answered Jul 11 '11 at 7:01
Quentin
636k718571027
answered Jul 11 '11 at 7:01
Quentin
636k718571027
answered Jul 11 '11 at 7:01
Quentin
636k718571027
answered Jul 11 '11 at 7:01
Quentin
636k718571027
636k718571027
8
+1 formyself_real_escape_string, LOL. :D
– deceze♦
Jul 11 '11 at 7:01
Ooops.stupid_overlong_not_fake_function_namesare too easy to introduce typos to at this time of the morning. :)
– Quentin
Jul 11 '11 at 7:05
add a comment |
8
+1 formyself_real_escape_string, LOL. :D
– deceze♦
Jul 11 '11 at 7:01
Ooops.stupid_overlong_not_fake_function_namesare too easy to introduce typos to at this time of the morning. :)
– Quentin
Jul 11 '11 at 7:05
8
8
+1 for
myself_real_escape_string, LOL. :D– deceze♦
Jul 11 '11 at 7:01
+1 for
myself_real_escape_string, LOL. :D– deceze♦
Jul 11 '11 at 7:01
Ooops.
stupid_overlong_not_fake_function_names are too easy to introduce typos to at this time of the morning. :)– Quentin
Jul 11 '11 at 7:05
Ooops.
stupid_overlong_not_fake_function_names are too easy to introduce typos to at this time of the morning. :)– Quentin
Jul 11 '11 at 7:05
add a comment |
up vote
3
down vote
Using sprintf might protect against SQL injection for numeric fields:
$sql = sprintf("SELECT * FROM table WHERE col1 = %i", $col1);
By using sprintf in this way, you can be sure that $col1 will be converted to an integer--although it might generate an error or warning, if it's not truly an integer.
The proper way to protect against SQL injection is to check all of your input values, and do escaping. But that's much more thoroughly covered in other questions, so I'm not going to go into detail here.
answered Jul 11 '11 at 7:04
Flimzy
36.8k96496
But with integers, you'd not have to use special precautions anyway.
– Tomalak
Jul 11 '11 at 7:06
1
Sure you do... What if the user-input "integer" looks like this: "; DROP TABLE users;"?
– Flimzy
Jul 11 '11 at 7:08
Then it's not an integer, very simple. I did not say you could drop type checking.
– Tomalak
Jul 11 '11 at 7:09
1
You said "no special precautions"--I would consider type checking a precaution. In any case, using sprintf is a silly way to try to protect against SQL injection for any data.
– Flimzy
Jul 11 '11 at 7:11
Yes, but I also said "integer", which is something I'd consider an established fact only after type checking - or when I'm dead sure that it cannot be anything else (calculation result, loop variable).
– Tomalak
Jul 11 '11 at 7:12
|
show 1 more comment
up vote
3
down vote
Using sprintf might protect against SQL injection for numeric fields:
$sql = sprintf("SELECT * FROM table WHERE col1 = %i", $col1);
By using sprintf in this way, you can be sure that $col1 will be converted to an integer--although it might generate an error or warning, if it's not truly an integer.
The proper way to protect against SQL injection is to check all of your input values, and do escaping. But that's much more thoroughly covered in other questions, so I'm not going to go into detail here.
answered Jul 11 '11 at 7:04
Flimzy
36.8k96496
But with integers, you'd not have to use special precautions anyway.
– Tomalak
Jul 11 '11 at 7:06
1
Sure you do... What if the user-input "integer" looks like this: "; DROP TABLE users;"?
– Flimzy
Jul 11 '11 at 7:08
Then it's not an integer, very simple. I did not say you could drop type checking.
– Tomalak
Jul 11 '11 at 7:09
1
You said "no special precautions"--I would consider type checking a precaution. In any case, using sprintf is a silly way to try to protect against SQL injection for any data.
– Flimzy
Jul 11 '11 at 7:11
Yes, but I also said "integer", which is something I'd consider an established fact only after type checking - or when I'm dead sure that it cannot be anything else (calculation result, loop variable).
– Tomalak
Jul 11 '11 at 7:12
|
show 1 more comment
up vote
3
down vote
up vote
3
down vote
Using sprintf might protect against SQL injection for numeric fields:
$sql = sprintf("SELECT * FROM table WHERE col1 = %i", $col1);
By using sprintf in this way, you can be sure that $col1 will be converted to an integer--although it might generate an error or warning, if it's not truly an integer.
The proper way to protect against SQL injection is to check all of your input values, and do escaping. But that's much more thoroughly covered in other questions, so I'm not going to go into detail here.
answered Jul 11 '11 at 7:04
Flimzy
36.8k96496
Using sprintf might protect against SQL injection for numeric fields:
$sql = sprintf("SELECT * FROM table WHERE col1 = %i", $col1);
By using sprintf in this way, you can be sure that $col1 will be converted to an integer--although it might generate an error or warning, if it's not truly an integer.
The proper way to protect against SQL injection is to check all of your input values, and do escaping. But that's much more thoroughly covered in other questions, so I'm not going to go into detail here.
answered Jul 11 '11 at 7:04
Flimzy
36.8k96496
answered Jul 11 '11 at 7:04
Flimzy
36.8k96496
answered Jul 11 '11 at 7:04
Flimzy
36.8k96496
answered Jul 11 '11 at 7:04
Flimzy
36.8k96496
36.8k96496
But with integers, you'd not have to use special precautions anyway.
– Tomalak
Jul 11 '11 at 7:06
1
Sure you do... What if the user-input "integer" looks like this: "; DROP TABLE users;"?
– Flimzy
Jul 11 '11 at 7:08
Then it's not an integer, very simple. I did not say you could drop type checking.
– Tomalak
Jul 11 '11 at 7:09
1
You said "no special precautions"--I would consider type checking a precaution. In any case, using sprintf is a silly way to try to protect against SQL injection for any data.
– Flimzy
Jul 11 '11 at 7:11
Yes, but I also said "integer", which is something I'd consider an established fact only after type checking - or when I'm dead sure that it cannot be anything else (calculation result, loop variable).
– Tomalak
Jul 11 '11 at 7:12
|
show 1 more comment
But with integers, you'd not have to use special precautions anyway.
– Tomalak
Jul 11 '11 at 7:06
1
Sure you do... What if the user-input "integer" looks like this: "; DROP TABLE users;"?
– Flimzy
Jul 11 '11 at 7:08
Then it's not an integer, very simple. I did not say you could drop type checking.
– Tomalak
Jul 11 '11 at 7:09
1
You said "no special precautions"--I would consider type checking a precaution. In any case, using sprintf is a silly way to try to protect against SQL injection for any data.
– Flimzy
Jul 11 '11 at 7:11
Yes, but I also said "integer", which is something I'd consider an established fact only after type checking - or when I'm dead sure that it cannot be anything else (calculation result, loop variable).
– Tomalak
Jul 11 '11 at 7:12
But with integers, you'd not have to use special precautions anyway.
– Tomalak
Jul 11 '11 at 7:06
But with integers, you'd not have to use special precautions anyway.
– Tomalak
Jul 11 '11 at 7:06
1
1
Sure you do... What if the user-input "integer" looks like this: "; DROP TABLE users;"?
– Flimzy
Jul 11 '11 at 7:08
Sure you do... What if the user-input "integer" looks like this: "; DROP TABLE users;"?
– Flimzy
Jul 11 '11 at 7:08
Then it's not an integer, very simple. I did not say you could drop type checking.
– Tomalak
Jul 11 '11 at 7:09
Then it's not an integer, very simple. I did not say you could drop type checking.
– Tomalak
Jul 11 '11 at 7:09
1
1
You said "no special precautions"--I would consider type checking a precaution. In any case, using sprintf is a silly way to try to protect against SQL injection for any data.
– Flimzy
Jul 11 '11 at 7:11
You said "no special precautions"--I would consider type checking a precaution. In any case, using sprintf is a silly way to try to protect against SQL injection for any data.
– Flimzy
Jul 11 '11 at 7:11
Yes, but I also said "integer", which is something I'd consider an established fact only after type checking - or when I'm dead sure that it cannot be anything else (calculation result, loop variable).
– Tomalak
Jul 11 '11 at 7:12
Yes, but I also said "integer", which is something I'd consider an established fact only after type checking - or when I'm dead sure that it cannot be anything else (calculation result, loop variable).
– Tomalak
Jul 11 '11 at 7:12
|
show 1 more comment
up vote
1
down vote
It obviously doesn't and if you've actually read that in a book or tutorial you should automatically discard it for future reference.
However, it can be a practical way to generate output that needs further processing. Please compare:
echo '<p>Hello, <strong></strong>' . htmlspecialchars($name) . ', welcome to ' . htmlspecialchars($place). '</p>';
echo sprintf('<p>Hello, <strong>%s</strong>, welcome to %s</p>',
htmlspecialchars($name),
htmlspecialchars($place)
);
Same applies to other kind of output, such as SQL code, but of course you still need to do something to input in order to make it safe: sprintf() is just a regular string function that's unaware of SQL and databases.
Please note that bind parameters use a similar syntax:
// Fictional DB abstraction layer
$sql = 'SELECT foo_id
FROM foo
WHERE name=:name AND status=:status';
$params = array(
'name' => $name,
'status' => $status,
);
$result = $db->run($sql, $params);
That's why I particularly find easier to use those DB libraries that provide this syntax, such as PDO.
answered Jul 11 '11 at 7:10
Álvaro González
104k30180270
add a comment |
up vote
1
down vote
It obviously doesn't and if you've actually read that in a book or tutorial you should automatically discard it for future reference.
However, it can be a practical way to generate output that needs further processing. Please compare:
echo '<p>Hello, <strong></strong>' . htmlspecialchars($name) . ', welcome to ' . htmlspecialchars($place). '</p>';
echo sprintf('<p>Hello, <strong>%s</strong>, welcome to %s</p>',
htmlspecialchars($name),
htmlspecialchars($place)
);
Same applies to other kind of output, such as SQL code, but of course you still need to do something to input in order to make it safe: sprintf() is just a regular string function that's unaware of SQL and databases.
Please note that bind parameters use a similar syntax:
// Fictional DB abstraction layer
$sql = 'SELECT foo_id
FROM foo
WHERE name=:name AND status=:status';
$params = array(
'name' => $name,
'status' => $status,
);
$result = $db->run($sql, $params);
That's why I particularly find easier to use those DB libraries that provide this syntax, such as PDO.
answered Jul 11 '11 at 7:10
Álvaro González
104k30180270
add a comment |
up vote
1
down vote
up vote
1
down vote
It obviously doesn't and if you've actually read that in a book or tutorial you should automatically discard it for future reference.
However, it can be a practical way to generate output that needs further processing. Please compare:
echo '<p>Hello, <strong></strong>' . htmlspecialchars($name) . ', welcome to ' . htmlspecialchars($place). '</p>';
echo sprintf('<p>Hello, <strong>%s</strong>, welcome to %s</p>',
htmlspecialchars($name),
htmlspecialchars($place)
);
Same applies to other kind of output, such as SQL code, but of course you still need to do something to input in order to make it safe: sprintf() is just a regular string function that's unaware of SQL and databases.
Please note that bind parameters use a similar syntax:
// Fictional DB abstraction layer
$sql = 'SELECT foo_id
FROM foo
WHERE name=:name AND status=:status';
$params = array(
'name' => $name,
'status' => $status,
);
$result = $db->run($sql, $params);
That's why I particularly find easier to use those DB libraries that provide this syntax, such as PDO.
answered Jul 11 '11 at 7:10
Álvaro González
104k30180270
It obviously doesn't and if you've actually read that in a book or tutorial you should automatically discard it for future reference.
However, it can be a practical way to generate output that needs further processing. Please compare:
echo '<p>Hello, <strong></strong>' . htmlspecialchars($name) . ', welcome to ' . htmlspecialchars($place). '</p>';
echo sprintf('<p>Hello, <strong>%s</strong>, welcome to %s</p>',
htmlspecialchars($name),
htmlspecialchars($place)
);
Same applies to other kind of output, such as SQL code, but of course you still need to do something to input in order to make it safe: sprintf() is just a regular string function that's unaware of SQL and databases.
Please note that bind parameters use a similar syntax:
// Fictional DB abstraction layer
$sql = 'SELECT foo_id
FROM foo
WHERE name=:name AND status=:status';
$params = array(
'name' => $name,
'status' => $status,
);
$result = $db->run($sql, $params);
That's why I particularly find easier to use those DB libraries that provide this syntax, such as PDO.
answered Jul 11 '11 at 7:10
Álvaro González
104k30180270
answered Jul 11 '11 at 7:10
Álvaro González
104k30180270
answered Jul 11 '11 at 7:10
Álvaro González
104k30180270
answered Jul 11 '11 at 7:10
Álvaro González
104k30180270
104k30180270
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f6646731%2fhow-does-sprintf-protect-against-sql-injection%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
9
Which people recommend such a thing?
– Tomalak
Jul 11 '11 at 7:00
3
What you probably mean is prepared statements, which is a different topic.
– Gal
Jul 11 '11 at 7:02