This quotes the necessary things, thereby preventing syntax errors (if the user includes an apostrophe) and SQL injections (if someone is trying to take advantage of that):
$ENG = mysql_escape_string($ENG);

The Stored procedure won't help at all -- you have to CALL the SP:
... mysql_query("CALL eng_lookup('$ENG')";