mysql - 防止sql注入

$query = sprintf("SELECT * FROM Users where UserName=‘%s‘ and Password=‘%s‘",   
                  mysql_real_escape_string($Username),   
                  mysql_real_escape_string($Password));  
mysql_query($query);  

$db = new mysqli("localhost", "user", "pass", "database");  
$stmt = $mysqli -> prepare("SELECT priv FROM testUsers WHERE username=? AND password=?");  
$stmt -> bind_param("ss", $user, $pass);  
$stmt -> execute();