MySQL query adding ' to variable

Question

A MySQL query that I am running is throwing up the following error

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'desc = 'Enter Description Here'' at line 2

The desc is a variable '$desc' the error suggests that there is an extra ' before desc but there is nothing in the code (below) if I remove desc altogether it works fine (obviously not updating that part) its very strange, your help is greatly appreciated :-)

The code is

//Get the form data
    $title = $_POST['title'];
    $keywords = $_POST['keywords'];
    $desc = $_POST['desc'];



//initialise connection with databse

require_once('../Connections/EliteGrooming.php');
mysql_select_db($database_EliteGrooming, $EliteGrooming);

//Execute the query

mysql_real_escape_string($title, $keywords, $desc);

$query = "
    UPDATE site_settings
    SET site_title = '$title', keywords = '$keywords', desc = '$desc';";

mysql_query($query) or die(mysql_error());
mysql_close();
header('Location: ../admin/site-settings.php?updated'); 

Answer 1

desc is a reserved keyword, you must escaped it with backtick

$query = "
    UPDATE site_settings
    SET site_title = '$title', keywords = '$keywords', `desc` = '$desc';";

but your query is vulnerable with SQL Injection, please read the article below,

• How can I prevent SQL injection in PHP?

Answer 2

You need to escape reserved words in MySQL like desc with backticks

UPDATE site_settings
SET site_title = '$title', keywords = '$keywords', `desc` = '$desc';";