Unfortunately, that will not work. htmlspecialchars deals with data that will be displayed on the web browser, but here the data has been escaped in a different way for a different purpose.
The problem is that magic_quotes_gpc was a misguided attempt to provide a measure of security against SQL injection by automatically (or "automagically") escaping quotes in incoming variables, with the idea that when these incoming variables are used in SQL statements, they would be escaped, thus avoiding SQL injection.
The first flaw in this is that unlike mysql_real_escape_string, this escaping does not take into account the character set used by the database, thus specially crafted input can still be used to perform SQL injection. Then, there is the problem that incoming variables are not necessarily intended to be used in SQL statements, so the escaping would be a waste of time to begin with. This is why I suggested that you simply turn off magic_quotes_gpc, but apparently you cannot do that.
The workaround therefore is something like this:
function undoMagicQuotes($str)
{
if (get_magic_quotes_gpc())
{
$str = stripslashes($str);
}
return $str;
}
Now you can write:
$sql = sprintf("SELECT id FROM Member WHERE username='%s'",
mysql_real_escape_string(undoMagicQuotes($_POST['username'])));
