its been awhile since ive had to do programming like this...what do u mean exactly by escape your variables?
depending on what type of SQL you're using and what your PHP ini settings are, it's usually a good practice to escape quotes and other possible contaminates out of your string. for instance, if you're trying to insert the following:
$q = "I'm awesome!";
$sql = mysql_query("INSERT INTO myTable (fieldName) VALUES ('$q')");
you will have a failed query every time since, when the variable is translated, it will actually read the apostrophe in the variable as the end of the VALUES string. to avoid that, you've got to escape (place a backslash in front of) the offending quote. if you're using mysql, you can use mysql_real_escape_string(), if you're using postgresql, you can use pg_escape_string(), and if you're wanting to manually run it, you might even get by with addslashes().
hope this helps!