If a string contains a single quote, it will generate an error. mysqli->real_escape_string() escapes quotes for MySQL. See example:
<?php
// create database connection
$conn = new mysqli($HOST, $USER, $PASS, $DB);
if ($conn->connect_error) {
die ("Connection failed: " . $conn->connect_error);
}
// this string will break SQL if not escaped
$line = "John's car"
// escape strings for mysql
$line = $conn->real_escape_string($line);
// insert query
$sql = "INSERT INTO `mydb`.`lines` (`lineid`, `line`) VALUES (NULL, '{$line}');";
if ($conn->query($sql) === TRUE) {
// query successful
} else {
echo "Error inserting data: " . $conn->error . "\n";
}
// close database connection
mysqli_close($conn);
?>