it is better to use this one: http://www.php.net/mysql_real_escape_string
if you don't use this by inputting just a qoute or this input '--' a hacker can easily hack your syntax in another steps your site will send a message like: error in mysql on this line lob lob .. in this part he will find your server that it is my sql:D he/she will try anither syntaxes and by errors he/she finds your table names and ...:D you know how bad:D then obey the security rules
