This question already has an answer here:
I want to save the string "thats'one" in my table columns, but I don't want to use mysqli_real_escape_string. Can anyone guide me regarding how to do that?
</div>
Since Im seeing so many low quality comments here, here is a rough untested answer.
$query = "INSERT INTO table (Column) VALUES (?)";
$stmt = $mysqli->prepare($query);
$stmt->bind_param("s", $val1);
$val1 = "thats'one";
$stmt->execute();
This presumes $mysqli is your connection object.
Additional links on the topic:
http://php.net/manual/en/mysqli-stmt.execute.php
http://php.net/manual/en/mysqli.quickstart.prepared-statements.php
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet#Defense_Option_1:_Prepared_Statements_.28Parameterized_Queries.29
http://php.net/manual/en/security.database.sql-injection.php
How can I prevent SQL injection in PHP?