HELP adding mysql_real_escape_string as ' gives error inserting...

[wispas]

I need help adding a mysql_real_escape_string into my code as whenever i insert a ' into my city description it gives me a error and does not insert into the database... please help.

 

<?php
include('includes/config.php');
$tbl_name="city"; // Table name

// Get values from form
$city_name=$_POST['city_name'];
$city_desc=$_POST['city_desc'];

// Insert data into mysql
$sql="INSERT INTO $tbl_name(city_name, city_desc)VALUES('$city_name', '$city_desc')";
$result=mysql_query($sql);

?>

[JonnoTheDev]

<?php
$result = mysql_query("INSERT INTO ".$tbl_name."(city_name, city_desc) VALUES('".mysql_real_escape_string($city_name)."', '".mysql_real_escape_string($city_desc)."')");
?>

[wispas]

Thanks Neil. I have also done this which also works:

 

<?php
include('includes/config.php');
$tbl_name="city"; // Table name

// Get values from form
$city_name = mysql_real_escape_string($_POST['city_name']) ;
$city_desc = mysql_real_escape_string($_POST['city_desc']) ;
$city_meta_keywords = mysql_real_escape_string($_POST['city_meta_keywords']) ;
$city_meta_desc = mysql_real_escape_string($_POST['city_meta_desc']) ;

// Insert data into mysql
$sql="INSERT INTO $tbl_name(city_name, city_desc, city_meta_keywords, city_meta_desc)VALUES('$city_name', '$city_desc', '$city_meta_keywords', '$city_meta_desc')";
$result=mysql_query($sql);

?>

[JonnoTheDev]

Yeah, but it looks messy. Why create a variable when the value is already stored in the post array. Just clean the array values in one go.

<?php
$fields = array('city_name','city_desc','city_meta_keywords','city_meta_desc');
foreach($fields as $field) {
$_POST[$field] = mysql_real_escape_string($_POST[$field]);
}
$result = mysql_query("INSERT INTO ".$tbl_name." (city_name, city_desc, city_meta_keywords, city_meta_desc) 
								VALUES('".$_POST['city_name']."', '".$_POST['city_desc']."', '".$_POST['city_meta_keywords']."', '".$_POST['city_meta_desc']."')");
?>