Sprintf question

[notepad]

Hi,

 

In the page about mysql_real_escape_string on www.php.net there is a 'Best practice method', code using sprintf.  I understand sprintf pretty well now... But I have a question about example from www.php.net, about this section:

 

...

        $query = sprintf("INSERT INTO products (`name`, `description`, `user_id`) VALUES ('%s', '%s', %d)",
                    mysql_real_escape_string($product_name, $link),
                    mysql_real_escape_string($product_description, $link),
                    $_POST['user_id']);

...

 

With this code, it is taking the $product_name and $product_description and escaping it.  But since I need to use these variables in further queries later on, within the same page... I need to have the variables 'raw', that way they don't get escaped twice.  So my question to you, is if I escape the variables using mysql_real_escape_string, have I then changed the variables?  Or am I only escaping the variables for this query, and leaving them 'raw'?

 

Thanks!

[kenrbnsn]

The mysql_real_escape_string() function doesn't modify the values of the input variables, it just returns the new value.

 

Ken

[sasa]

try

<?php
mysql_connect('localhost','root','');
$a ='a\b';
echo mysql_real_escape_string($a);
echo "\n<hr />\n";
echo $a;
?>

[notepad]

Thanks for clearing that up... I just wanted to make sure I wasn't escaping the data twice. =)

 

I do have one more question if I may, I am brand new to sprintf(), and I don't really understand the point of it.  I am using it, because all of the examples on php.net use it... So I figure there is something to it, but I don't know what that "something" is.  Could you explain the purpose of it?

 

Thanks!