That's due to the lack of escaping. This is referred to as SQL Injection where you damage the SQL structure by corrupting it with input.
The process is simple:
$_POST['input'] = stripslashes($_POST['input']);
$sQry = "SELECT * FROM table WHERE input = '" . mysql_real_escape_string($_POST['input']) . "'";
However, MySQL library is now officially deprecated, so you should be moving to either mysqli or pdo. Both support prepared statements:
$con = new MySQLi('connection details here');
if ($stmt = $con->prepare("SELECT * FROM table WHERE input = ?"))
// use bind_result to fetch from the query.
So, first step is always to remove magic quotes. These are gone as of 5.4, but since MySQLi is available since 5.0 they still need to be accommodated for. You can walk the entire $_POST/$_GET array:
$_POST = array_map('stripslashes', $_POST);
That will remove any \' that exists within the $_POST string data. It's not recursive though, so if you have array input of strings, than a simple recursive method or a recursive walk would suffice with a custom method.
That will clean up the input from the form itself and return it into its raw state (ie: O'Neil instead of O\'Neil). Now we can put that into the database. With the above examples, you either filter the variable through mysql_real_escape_string (using the mysql library), or you use prepared statements with Mysqli/PDO. MySQLi also has a escape sequence for it, but prepared statements are for more secure.
Hope that helps!