It is important to avoid SQL injection when working with mysql, and so it is common to use a function like mysql_real_escape_string() in PHP.
At php.net, they suggest using sprintf and a function called quote_smart as described on their mysql_real_escape_string documentation page as a "best practice" method.
correction: Of the 3 examples above, the 2 previous used to have single quotes around %s, but this is incorrect as quote_smart or myquote will add single quotes.
note: using sprintf either qsprintf functions will get screwed up when you have a " like 's%' " statement in sql or similar 'like' statements using % (the percentage character).
notes: I modified their quote_smart function and renamed it to myquote in my code sample below because mysql doesn't care if you try to insert '123' into a numeric field (including single quotes) and that way I wouldn't lose leading zeros when inserting something like '01234' into a character field.