What do I need to escape when sending a query?

Question

When you execute a SQL query, you have to clean your strings or users can execute malicious SQL on your website.

I usually just have a function escape_string(blah),

Answer 1

the MySQL C API has it's own mysql_escape_string(). Using it or it's equivalent would be best.