MySQL Query not inserted when PHP variable contains single quotes

Question

This query not inserted when variable $subject has single quotes . Is there any possible solution available ?

mysql_query(\"INSERT INTO  table  (to_email_id,         


        

Answer 1

Consider using Parameterized Queries using PDO for example.

Alternately, enclose your variables in brackets { }.

Edit:

I missed that your variable $subject contains single quotes. This means you have to escape them. (See the myriad of other answers and mysql_real_escape_string() about this.) But as you can see, single quotes inside the variable is exactly how injection attacks work. Escaping them helps prevent such problems as well as allow your query to store the expected data.

No answer about injection attacks is complete without referencing Bobby Tables.