diff --git a/drogon_ctl/templates/model_h.csp b/drogon_ctl/templates/model_h.csp
index a8ded786..0ed1eeee 100644
--- a/drogon_ctl/templates/model_h.csp
+++ b/drogon_ctl/templates/model_h.csp
@@ -508,7 +508,7 @@ if(@@.get<std::string>("rdbms")=="postgresql")
                 if(@@.get<std::string>("rdbms")=="postgresql")
                 {
 %>
-            n = sprintf(placeholderStr,"$%d,",placeholder++);
+            n = snprintf(placeholderStr,sizeof(placeholderStr),"$%d,",placeholder++);
             sql.append(placeholderStr, n);
 <%c++
                 }else
diff --git a/orm_lib/tests/postgresql/Users.h b/orm_lib/tests/postgresql/Users.h
index d3c3ce4f..bf208694 100644
--- a/orm_lib/tests/postgresql/Users.h
+++ b/orm_lib/tests/postgresql/Users.h
@@ -352,43 +352,67 @@ class Users
         size_t n = 0;
         if (dirtyFlag_[0])
         {
-            n = sprintf(placeholderStr, "$%d,", placeholder++);
+            n = snprintf(placeholderStr,
+                         sizeof(placeholderStr),
+                         "$%d,",
+                         placeholder++);
             sql.append(placeholderStr, n);
         }
         if (dirtyFlag_[1])
         {
-            n = sprintf(placeholderStr, "$%d,", placeholder++);
+            n = snprintf(placeholderStr,
+                         sizeof(placeholderStr),
+                         "$%d,",
+                         placeholder++);
             sql.append(placeholderStr, n);
         }
         if (dirtyFlag_[2])
         {
-            n = sprintf(placeholderStr, "$%d,", placeholder++);
+            n = snprintf(placeholderStr,
+                         sizeof(placeholderStr),
+                         "$%d,",
+                         placeholder++);
             sql.append(placeholderStr, n);
         }
         if (dirtyFlag_[3])
         {
-            n = sprintf(placeholderStr, "$%d,", placeholder++);
+            n = snprintf(placeholderStr,
+                         sizeof(placeholderStr),
+                         "$%d,",
+                         placeholder++);
             sql.append(placeholderStr, n);
         }
         if (dirtyFlag_[4])
         {
-            n = sprintf(placeholderStr, "$%d,", placeholder++);
+            n = snprintf(placeholderStr,
+                         sizeof(placeholderStr),
+                         "$%d,",
+                         placeholder++);
             sql.append(placeholderStr, n);
         }
         if (dirtyFlag_[5])
         {
-            n = sprintf(placeholderStr, "$%d,", placeholder++);
+            n = snprintf(placeholderStr,
+                         sizeof(placeholderStr),
+                         "$%d,",
+                         placeholder++);
             sql.append(placeholderStr, n);
         }
         sql += "default,";
         if (dirtyFlag_[7])
         {
-            n = sprintf(placeholderStr, "$%d,", placeholder++);
+            n = snprintf(placeholderStr,
+                         sizeof(placeholderStr),
+                         "$%d,",
+                         placeholder++);
             sql.append(placeholderStr, n);
         }
         if (dirtyFlag_[8])
         {
-            n = sprintf(placeholderStr, "$%d,", placeholder++);
+            n = snprintf(placeholderStr,
+                         sizeof(placeholderStr),
+                         "$%d,",
+                         placeholder++);
             sql.append(placeholderStr, n);
         }
         else