sprintf不会保护您！它仅替换%s

sprintf won't protect you! It only replaces the %s

您必须这样mysql_real_escape_string:

you must mysql_real_escape_string so:

$sql = sprintf('SELECT * FROM TABLE WHERE COL1 = "%s" AND COL2 = "%s"',
mysql_real_escape_string($col1),
mysql_real_escape_string($col2));

更安全的注射

注意:我建议您看一下 PDO ，这是我喜欢用于DBconections和查询的

note: I suggest you take a look at PDO, it is what I like to use for DBconections and queries