I can see you have 3 quotes in your query(always end with pairs, right), and it indicated synax error, using echo to see what is the exact reture queery string, maybe try escape character.

There are several ways to include quotes within a string:

A `'' inside a string quoted with `'' may be written as `'''.
A `"' inside a string quoted with `"' may be written as `""'.
You can precede the quote character with an escape character (`\').
A `'' inside a string quoted with `"' needs no special treatment and need not be doubled or escaped. In the same way, `"' inside a string quoted with `'' needs no special treatment.

SQL injection, by my understanding, it's using bla' or 1=1-- to make a always true statement, you can test by using that string.

Sorry for my bad English, not my mother tongue.