[Scenario]

You need to escape your strings. Basically, any string you're inserting into a database that can be typed out directly from a player needs to be escaped. For one it will make it so you don't receive SQL errors if, for example (like in this case), they put an apostrophe in the string. It also makes it so people can't destroy your database.

Use mysql_real_escape_string() or mysql_escape_string() (if running R31) to do this.