all lowercase (my tablet was auto-capitalizing, sorry)

and, it is important to remember that literal stings still need to be quoted 'like this' for SQL.
PHP Code:
<?php
$lastname mysql_real_escape_string$_POST['lastname'] );

$SQL "SELECT * FROM clients WHERE latsname = '$lastname'";

// say $_POST['lastname'] was "O'Brien"
// mysql_real_escape_string() will change it to "O\'Brien"
// so when you insert it into your query, you'll get:
//  "SELECT * FROM client WHERE lastname = 'O\'Brien'"
// which will insert correctly.

// say $_POST['firstname'] was "DELETE FROM clients"
// mysql_real_escape_string() won't do anything to this string, 
// but since the string is put into single quotes in your query, it will be treated as literal data:
//  "SELECT * FROM client WHERE lastname = 'DELETE FROM clients'"
// probably won't get any results, but it won't hurt anything.