mysql_real_escape_string($_POST['ownername']) . "' AND species='" . mysql_real_escape_string($_POST['species']) . "'"; $query = sprintf("SELECT * FROM `pets` WHERE `owner`='%s' AND `species`='%s'", mysql_real_escape_string($_POST['ownername']), mysql_real_escape_string($_POST['species'])); -----------------------------------------------------------------<?php $n = 43951789; $u = -43951789; $c = 65; // ASCII 65 is 'A' // notice the printf("%%b = printf("%%c = printf("%%d = printf("%%e = printf("%%u = eger printf("%%u = eger printf("%%f = printf("%%o = printf("%%s = printf("%%x = printf("%%X =
double %%, this prints a literal '%' character
'%b'\n", $n); // binary representation '%c'\n", $c); // print the ascii character, same as chr() function '%d'\n", $n); // standard integer representation '%e'\n", $n); // scientific notation '%u'\n", $n); // unsigned integer representation of a positive int '%u'\n", $u); // unsigned integer representation of a negative int '%f'\n", '%o'\n", '%s'\n", '%x'\n", '%X'\n",
printf("%%+d = '%+d'\n", $n); // sign specifier on a positive integer
printf("%%+d = '%+d'\n", $u); // sign specifier on a negative integer ?> -------------------------------------------------------------------A soluo vem em dois passos: Primeiro formatamos os dados de acordo com o que eles ch egam (Sprintf). Depois, com pdo, encapsulamos as querrys de forma a no permitir o acesso direto a insero. PDO: $stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name'); $stmt->execute(array(':name' => $name)); foreach ($stmt as $row) { // do something with $row } ---------------------------------------------------------------------