[Squirrel]

Alright so Ive got a simple question, since I want to avoid any data injection, could I simply do things such as

PHP код:

mysql_format(mysql, query,sizeof(query),"UPDATE `players` SET `Username`='%e' WHERE `ID`=%d",NewName,AccInfo[playerid][ID]);
    mysql_tquery(mysql, query); 


Or Id have to escape the string other way?

Im trying to understand how it all works.

So basically is it enough if I use '%e' when formating or I have to still do something to avoid data injection?