To escape database queries use the AddSlashes() function.

<?php
$user "' OR id='1";
$query "SELECT * FROM table WHERE id='%s'";

var_dump(sprintf($query$user));
print "\n<br />\n";
var_dump(sprintf($queryAddSlashes($user)));
?>
Output
string(41) "SELECT * FROM table WHERE id='' OR id='1'"
string(43) "SELECT * FROM table WHERE id='\' OR id=\'1'"