testing mysql_real_escape_string

1. <?php
2. // Connect
3. $link = mysql_connect($_ENV["DB_PORT_3306_TCP_ADDR"], $_ENV["DB_ENV_MYSQL_USER"], $_ENV["DB_ENV_MYSQL_PASSWORD"]) OR die(mysql_error());
4. mysql_select_db($_ENV["MYSQL_ENV_MYSQL_DATABASE"], $link);
5.  
6. // Query
7. $lastname  = "O'Reilly";
8. $_lastname = mysql_real_escape_string($lastname, $link);
9.  
10. if ( isset($_GET['insert']) ) {
11.     mysql_query ( sprintf("INSERT INTO comments (`comment`) VALUES ('%s')", $_lastname) , $link );
12. }
13.  
14. $query = "SELECT * FROM comments WHERE comment LIKE '%$_lastname%'";
15.  
16. echo '<pre>';
17. var_dump($_lastname);
18. var_dump($query);
19.  
20. $result = mysql_query($query, $link);
21. if (!$result) {
22.     $message  = 'Invalid query: ' . mysql_error() . "\n";
23.     $message .= 'Whole query: ' . $query;
24.     die($message);
25. }
26. while ($row = mysql_fetch_assoc($result)) {
27.     var_dump($row);
28. }