I'm scraping data from third party sites using an html parser and then inserting the info that I need into MySQL. It just so happens that a lot of the info contains apostrophes in it. The trouble is that for the SQL query as follows:
INSERT INTO table (column) VALUE ('".$value."')
If the $variable has an apostrophe in it, the query breaks. There is simply too much info for me to manually insert it all. It would be entirely too time consuming. Any suggestions for me to make this query work?
This is a classic SQL injection flaw. If the value of $value is controlled by the user, they can basically do anything right now. The quote in the scraped string breaks out of the quoted environment within the SQL string, and thus allows for arbitrary SQL commands to be executed.
The short answer is, use mysql_real_escape_string.
Of course, there's the obligatory "mysql_* is deprecated, use mysqli or PDO" part of this too.
So in other words, your query is vulnerable with SQL Injection. Better use PDO or MySQLi Extension since you tagged `PHP.
Take time to read on this article: Best way to prevent SQL injection in PHP?