You're running in a thing called "sql injections" and this is a serious problem you should care about.
Please read http://php.net/mysql_real_escape_string and use this function to escape special characters of your input data.
It seems, that you have a query like:
$query = "INSERT INTO tbl (`topic`) VALUES ('$topic');"
So your generated query-string is maybe like
$topic = "foobar";
$query = "INSERT INTO tbl (`topic`) VALUES ('$topic');"
echo $query;
will result in:
INSERT INTO tbl (`topic`) VALUES ('foobar');
which is nice. but:
$topic = "f'); delete from tbl;";
$query = "INSERT INTO tbl (`topic`) VALUES ('$topic');"
echo $query;
will return:
INSERT INTO tbl (`topic`) VALUES('f'); delete from tbl;
and this is not what you wish going to happen.
To reach the next level of your programming skills in PHP you should read the PDO-documentation (http://php.net/pdo) and learn more about the use of parameters in a sql statement :)