Pass a user-inputted variable to this function in order to prevent SQL injection. Example:

mysql_query("INSERT INTO table VALUES('" . sql_sanitize($_POST["variable") . "')");

Instead of:

mysql_query("INSERT INTO table VALUES('" . $_POST["variable"] . "'");