Everything is shown in MySQL documentation; was to so hard to consult it?
This is how to escape ' " and other characters: http://dev.mysql.com/doc/refman/5.0/en/string-literals.html
However, it's possible that the root problem is different. Do you obtain SQL query by concatenating some SQL language constructs with data? Even if it works, this is not a right thing to do. You should better use parametrized statements
instead. Please see:
Not only it's generally better and will help you to avoid escaping problems, it's also much safer, which is very important. In particular, it can help you to get protected from a well-known exploit called SQL injection
Note the section 3.1
explaining the importance of parametrized statements.