The problem with the apostrophe's:
You probably use an input like this:
<input type='text' value='<?php echo $value;?>'/>
The problem is that if the value has an apostrophe this happens:
<input type='text' value='Let's play'/>
So the value tag is ended because of the apostrophe in your variable.
To fix it simply use htmlspecialchars with ENT_QUOTES:
<?php
$value = htmlspecialchars("Let's play", ENT_QUOTES);
?>
<input type='text' value='<?php echo $value; ?>'/>
That way the apostrophe's get encoded and will be editable in your form
About the SQL injection:
Simply use mysqli's prepared statements and you will be fine. To also keep you safe from XSS, always htmlspecialchars
user input in HTML output. Even better is to filter the input to only what you need, and save only the filtered input to your database.