$query =

"SELECT * FROM `pets` WHERE `owner`='" .

mysql_real_escape_string($_POST['ownername']) .
"' AND species='" .
mysql_real_escape_string($_POST['species']) . "'";
$query =
sprintf("SELECT * FROM `pets` WHERE `owner`='%s' AND `species`='%s'",
mysql_real_escape_string($_POST['ownername']),
mysql_real_escape_string($_POST['species']));
-----------------------------------------------------------------<?php
$n = 43951789;
$u = -43951789;
$c = 65; // ASCII 65 is 'A'
// notice the
printf("%%b =
printf("%%c =
printf("%%d =
printf("%%e =
printf("%%u =
eger
printf("%%u =
eger
printf("%%f =
printf("%%o =
printf("%%s =
printf("%%x =
printf("%%X =

double %%, this prints a literal '%' character

'%b'\n", $n); // binary representation
'%c'\n", $c); // print the ascii character, same as chr() function
'%d'\n", $n); // standard integer representation
'%e'\n", $n); // scientific notation
'%u'\n", $n); // unsigned integer representation of a positive int
'%u'\n", $u); // unsigned integer representation of a negative int
'%f'\n",
'%o'\n",
'%s'\n",
'%x'\n",
'%X'\n",

$n);
$n);
$n);
$n);
$n);

//
//
//
//
//

floating point representation

octal representation
string representation
hexadecimal representation (lower-case)
hexadecimal representation (upper-case)

printf("%%+d = '%+d'\n", $n); // sign specifier on a positive integer

printf("%%+d = '%+d'\n", $u); // sign specifier on a negative integer
?>
-------------------------------------------------------------------A soluo vem em dois passos: Primeiro formatamos os dados de acordo com o que eles ch
egam (Sprintf). Depois, com pdo, encapsulamos as querrys de forma a no permitir o
acesso direto a insero.
PDO:
$stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');
$stmt->execute(array(':name' => $name));
foreach ($stmt as $row) {
// do something with $row
}
---------------------------------------------------------------------