In the php manual:http://www.php.net/manual/en/function.mysql-real-escape-string.php The following method is suggested:<?php// Quote variable to make safefunction quote_smart($value){ // Stripslashes if (get_magic_quotes_gpc()) { $value = stripslashes($value); } // Quote if not a number or a numeric string if (!is_numeric($value)) { $value = "'" . mysql_real_escape_string($value) . "'"; } return $value;} // Connect$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password') OR die(mysql_error()); // Make a safe query$query = sprintf("SELECT * FROM users WHERE user=%s AND password=%s", quote_smart($_POST['username']), quote_smart($_POST['password'])); mysql_query($query);?> What is the purpose of the sprintf? If it were using %d on integers Icould see the point, but as we're talking about %s strings, what isthe advantage to using sprintf? How does this differ from:$query = "SELECT * FROM users WHERE user=".$_POST['username']." ANDpassword=".$_POST['password']; Dotan Cohenhttp://linux-apache-mysql-php.org23
