To run a SQL query with text data containing single quotes ‘ as well as other SQL reserved punctuations, and to prevent SQL injections, you will always want to escape the text values before using them in a SQL query.
mysql_real_escape_string() calls MySQL’s library function mysql_real_escape_string, which prepends backslashes to the following characters: x00, n, r, , ‘, ” and x1a.
mysql_real_escape_string($content);
“SELECT * FROM users WHERE user=’%s’ AND password=’%s'”, mysql_real_escape_string($user), mysql_real_escape_string($password)