I took care of my sql injection problem but all my strings are quoted now as
you know.

So how do I prep my username which has quotes in the db but not in my code,
so that I can compare it to the db?
// makes sure they filled it in
if(!$_POST['username'] || !$_POST['pass']) {
die('You did not fill in a required field.');
}

// checks it against the database

$check = mysql_query("SELECT * FROM user WHERE username =
'".$_POST['username']."'")or die(mysql_error());

I tried addslashes();
and I tried to use the mysql_real_escape_string($userName)
but ...
insight appreciated
thank you
kevin