To escape database queries use the %AddSlashes()% function. \n"; var_dump(sprintf($query, AddSlashes($user))); ?>]]>