Can someone tell me what the best way to query a database is that uses variables? I'm kind of confused about how and where to use ' and " and whether or not to escape the PHP code when loading variables and also with using globals. Here's an example of one of my queries. Can someone make some suggestions as to how to do it "correct"?

$result = mysql_query("SELECT login, pass, id FROM users WHERE login=\"$_POST['login']\"") or die ("Invalid query : Error 3.1");
Is it better to type the name of each column if all are queried or is it fine to just use *? I recall reading somewhere that it's best to type them all out but I just wanted to see what you all think about this.