I have a problem with adding some text from my site if that text contain some symbols like (", ? , script, or some sql tags ) ..
Here is a little bit of code,hope this is enough :)
$title = $_POST['title_field'];
$description = $_POST['description_field'];
$sql2 = 'INSERT INTO achievements (title,description) VALUES (' . '"' .$title . '"'. "," . '"' . $description . '"' . ')';
$records2 = mysqli_query($conn,$sql2);
The problem here is you're not using prepared statements and you're not escaping things properly, so some symbols conflict with SQL. In general terms this means you're vulnerable to SQL injection bugs.
$stmt = mysqli_prepare($conn, "INSERT INTO achievements (title, description) VALUES (?,?)"); $stmt->bind_param("ss", $_POST['title_field'], $_POST['description_field']);
As a note, try to avoid putting redundant things in names like
_field. It's presumed to be a field if it's in a form submission.