Need Help with quote_smart, prepared sql statement.

[mcondiff]

I'm having real trouble with quote_smart() from php.  I need to know how to include a "quote_smart"ed variable into a sql prepared statment.  Quote_Smart() puts single quotes around all string vars and my db has matching values and appropriate single quotes around the values.

I am getting "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '[email protected]''' at line 1"

the way i have it seems to have an extra single quote at the end but i cant tell where its coming from can someone help?

<?php
session_start();

require_once 'config.php';

function connect_db()
{
$this->db_connection = mysql_connect(SERVER_NAME, DB_USER, DB_PASSWORD) or die ('Unable to connect to Database!');
mysql_select_db(DB_NAME);
}

function quote_smart($value)
{
  // Stripslashes
  if (get_magic_quotes_gpc()) {
      $value = stripslashes($value);
  }
  // Quote if not a number or a numeric string
  if (!is_numeric($value)) {
      $value = "'" . mysql_real_escape_string($value) . "'";
  }
  return $value;
}

connect_db(); //connects to db fine

$legal = "[email protected]"; // pre quote_smart
$legal = quote_smart($legal); // post quote_smart

$query = "SELECT * FROM users WHERE email = '$legal'";

$user = mysql_query($query) or die(mysql_error());

$numFound = mysql_num_rows($user);

echo $numFound;

$x = mysql_result($user,0,"email");
$y = mysql_result($user,0,"pass");

echo '<br> user-> '. $x;
echo '<br> pass-> '. $y;
?>

Its a login script that im using as part of a base application class, but this is easier to read.

Does anyone have an example of anything theyve done using quotesmart or just tell me the standard/preferred way of using it to prevent sql injection?

I'm at a loss here.

Thanks

Mike