PHP: A tutorial.

To escape database queries use the AddSlashes() function.

<?php
$user = "' OR id='1";
$query = "SELECT * FROM table WHERE id='%s'";

var_dump(sprintf($query, $user));
print "\n<br />\n";
var_dump(sprintf($query, AddSlashes($user)));
?>

Output

string(41) "SELECT * FROM table WHERE id='' OR id='1'"
string(43) "SELECT * FROM table WHERE id='\' OR id=\'1'"