<?php echo htmlspecialchars($foo, ENT_QUOTES); ?>
<?php $sql = "SELECT * FROM USERS where id = '".mysql_escape_string($id)."'"; $result = mysql_query($sql); ?>