[SQL Server]Incorrect syntax near 'neal'

Question

I'm trying to update my a row. But it automatically creates an error because the data in a column contains this Shaquille O'neal Or are there any problems ? Here's my code

  <?php
if(isset($_POST['editSubmit'])){
    $buildingID       = $_POST['editBuilding'];
    $buildingName     = $_POST['editBuildingName'];   
    $buildingProject  = $_POST['editBuildingProject'];
    $buildingFloors   = $_POST['editBuildingFloors'];
    $q = "update tblBuilding SET buildingName= '$buildingName' building_projectID='$buildingProject'
          floorNumber = '$buildingFloors'         
          where buildingID = '$buildingID'"; 
    $query = $db-> prepare($q);
    $results = $query->execute();
    echo" <meta http-equiv='refresh' content='0;url=project.php'>"; 
}
?>

EDITED: Prepared:

<?php
if(isset($_POST['editSubmit'])){
    $buildingID       = $_POST['editBuilding'];
    $buildingName     = $_POST['editBuildingName'];   
    $buildingProject  = $_POST['editBuildingProject'];
    $buildingFloors   = $_POST['editBuildingFloors'];

$stmt = $db->prepare("update tblBuilding set buildingName=?, building_projectID=?,floorNumber=?  where buildingID = $buildingID");

$stmt->bindParam(1, $buildingName );
$stmt->bindParam(2, $buildingProject);
$stmt->bindParam(3, $buildingFloors );
$stmt->execute();



    echo" <meta http-equiv='refresh' content='0;url=project.php'>"; 
}
?>

Answer 1

The real problem is that you're concatenating input data into SQL. This is a no-go: it opens the door wide for SQL injection problems.

Use parametrized queries and your problems should vanish.

Answer 2

I suggest you could print out the query. Most likely it's because you wrap the value $buildingName using single quote which paired with the one in Shaquille O'neal then causes the rest of the query syntax error.