$sql = sprintf("select count(*) as qty from t_user where f_uid='%s' and f_password='%s'",$password,$userAccount); 这句话能挡住SQL注入吗?