php下的mysql参数化查询​的两种方法

php下的mysql参数化查询的两种方法：

$query = sprintf("SELECT * FROM Users where UserName='%s' and Password='%s'",  

                 mysql_real_escape_string($Username),  

                 mysql_real_escape_string($Password));  

mysql_query($query);  

或是  

$db = new mysqli("localhost", "user", "pass", "database");  

$stmt = $mysqli -> prepare("SELECT priv FROM testUsers WHERE username=? AND password=?");  

$stmt -> bind_param("ss", $user, $pass);  

$stmt -> execute();