不是传统意义上的 PHP 的 sprintf 不支持任何真正危险的转换，如 %n.用户控制的格式字符串仍然会造成一些有限的破坏(考虑 %99999999s)，但我认为最坏的情况是消耗内存和时间.

Not in any traditional sense, as PHP's sprintf doesn't support any of the really dangerous conversions like %n. A user-controlled format string can still cause some limited havoc (consider %99999999s), but about the worst I think it could do would be to consume memory and time.