Simple: don't use string concatenation to build SQL queries. It can an will leave you vulnerable to SQL Injection
PHP: SQL Injection - Manual
Beyond that, if you want anyone to help you fix your code, you need to show the relevant parts of your code. Which you haven't done. So nobody can help you.