How can I improve this code to make it handle injection and inputs with quotes?
$result = $conn->query("select bookName from Book");
echo "<select name='bookName'>";
while ($row = $result->fetch_assoc()) {
unset($bookName);
$bookName = $row['bookName'];
echo '<option value="'.$bookName.'">'.$bookName.'</option>';
}