更新时间:2023-12-02 09:19:58
sprintf不会保护您!它仅替换%s
sprintf won't protect you! It only replaces the %s
您必须这样mysql_real_escape_string:
you must mysql_real_escape_string so:
$sql = sprintf('SELECT * FROM TABLE WHERE COL1 = "%s" AND COL2 = "%s"',
mysql_real_escape_string($col1),
mysql_real_escape_string($col2));
更安全的注射
注意:我建议您看一下 PDO ,这是我喜欢用于DBconections和查询的
note: I suggest you take a look at PDO, it is what I like to use for DBconections and queries