data insertion problem

Question

i retrieve data from upc database and then want to insert the data into my own data base all the code is correct but when i check my database there is no record in my database table my code is

if(!$resp->faultCode())
    {
        //Store the value of the response in a variable
        $val = $resp->value();
        //Decode the value, into an array.
        $data = XML_RPC_decode($val);
        //Optionally print the array to the screen to inspect the values
               echo $upc=$data['upc'];
               echo $ean=$data['ean'];
               echo $description=$data['description'];
               echo $size=$data['size'];
                $query1="INSERT INTO upc(upc,ean,description,size) values('$upc','$ean','$description','$size')";
                var_dump($query1);
                $result1=mysql_query($query1);

Note that i echoed all the variables and the result is shown like this

639382000393
0639382000393
The Teenager's Guide to the Real World by BYG Publishing
book
string(166) "INSERT INTO upc(upc,ean,description,size) values('639382000393
','0639382000393
','The Teenager's Guide to the Real World by BYG Publishing
','book
')" You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Guide to the Real World by BYG Publishing
','book
')' at line 1

but no data is inserted in my table

Answer 1

Sure it will not work. You have single quote in your string. Escape the strings, and you'll be fine.

string(166) "INSERT INTO upc(upc,ean,description,size) values('639382000393
','0639382000393
','The Teenager's Guide to the Real World by BYG Publishing
','book
')"

Answer 2

The data includes a ' character and, instead of using bound variables, you are just mashing strings together to create your query. Since you use ' to delimit strings, the SQL breaks. This also means you are vulnerable to SQL Injection attacks.

Use bound variables.