You need escape all unescaped strings before put it into query.
Sample
$tmpSql = "INSERT INTO tbl_public_menu(parent_menu, menu_title, page_title ,content)"
. " VALUES('" . $this->public_menu["parent_menu"] . "'"
. ",'" . $this->public_menu["menu_title"] . "'"
. ",'" . $this->public_menu["page_title"] . "'"
. ",'" . $this->public_menu["content"] . "'"
. ")";
Should be replaced with
$tmpSql = "INSERT INTO tbl_public_menu(parent_menu, menu_title, page_title ,content)"
. " VALUES('" . $this->public_menu["parent_menu"] . "'"
. ",'" . mysql_real_escape_string($this->public_menu["menu_title"]) . "'"
. ",'" . mysql_real_escape_string($this->public_menu["page_title"]). "'"
. ",'" . mysql_real_escape_string($this->public_menu["content"]) . "'"
. ")";
You need to apply same changes to all insert and update queries ( when corresponded strings aren't already escaped).
King Regards,
Alex