I have heard that sprintf() protects against SQL injection. Is it true? If so,

Question

Editorial Team

Asked: May 23, 20262026-05-23T15:08:41+00:00 2026-05-23T15:08:41+00:00

I have heard that sprintf() protects against SQL injection. Is it true? If so, how?

Why people are recommending to write query like this:

$sql = sprintf('SELECT * FROM TABLE WHERE COL1 = %s AND COL2 = %s',$col1,$col2);

You must login to add an answer.

Need An Account,

Editorial Team · Answer 1 · 2026-05-23T15:08:41+00:00

Editorial Team

sprintf won’t protect you! It only replaces the %s

you must mysql_real_escape_string so:

$sql = sprintf('SELECT * FROM TABLE WHERE COL1 = "%s" AND COL2 = "%s"',
mysql_real_escape_string($col1),
mysql_real_escape_string($col2));

is safer injection

note: I suggest you take a look at PDO, it is what I like to use for DBconections and queries

The Archive Base Latest Questions