Because you don't have your sql in your question here 2 examples:
Object oriented style
$city = $mysqli->real_escape_string($city);
or the procedural style
$city = mysqli_real_escape_string($link, $city);
For more information see this: php.net/mysqli_real_escape_string
Also see Prepare statements this is better than mysqli_real_escape_string
php.net/manual/en/mysqli.prepare.php