Is there some reason that mysql_real_escape_string isn't working here? It sends an empty variable for $editednote.
$editednote = mysql_real_escape_string($_POST['editednote']);
The value is being passed from a form as POST, I already echo'd it to check and it is working, and if I remove the mysql_real_escape_string it works fine, except illegal characters crash the script... it works perfect on another page, same code, different variable names. See any errors?
echo "
<form name=\"editnote\" method=\"post\" action=\"scripts/editnote_script.php\">
<input type=\"hidden\" name=\"postID\" value=$postID>
<input type=\"hidden\" name=\"subsID\" value=$subsID>
<textarea name=\"editednote\" rows=\"12\" cols=\"50\">";
echo $note;
echo "</textarea><br /><br />
<input type=\"submit\" name=\"submitnote\" value=\"Submit\" />
</form>
";
<?php
session_start();
if (!isset($_SESSION['username'])) {
header("Location: login.php");
exit;
}
$subsID = $_POST['subsID'];
$postID = $_POST['postID'];
$editednote = mysql_real_escape_string($_POST['editednote']);
// Makes initial conection to database
define ('DB_USER', '****');
define ('DB_PASSWORD', '****');
define ('DB_HOST', '****');
define ('DB_NAME', '****');
$connect = @mysql_connect(DB_HOST, DB_USER, DB_PASSWORD)
or die(mysql_error());
$db = @mysql_select_db(DB_NAME, $connect)
or die(mysql_error());
// Update subscriber last issue
$updatenote = "UPDATE subscriber_notes SET note = '$editednote' WHERE postID = '$postID'";
$updatenote_result= mysql_query($updatenote)
OR die('QUERY ERROR:<br />' .$updatenote. '<br />' .mysql_error());
header("Location: ../subscriberdetail.php?id=$subsID");
exit;
?>
