garaged wrote:
Not only attackable, but slower too, I think sprinf is still slower than echo, but that can be tested for modern versions of PHP.
what you actually likely want to use is prepared queries .. then the database (or the emulation layer) will take care of combining the SQL with the data.
http://pear.php.net/manual/en/package.database.db.intro-execute.php
MDB2 works much in the same way. It just supports a wider range of datatypes. Also MDB2 supports Oracle style placeholders which are nice for readability:
SELECT surname, name, age FROM person WHERE name = :name AND age < :age
versus ? style
SELECT surname, name, age FROM person WHERE name = ? AND age < ?
regards, Lukas