Your problem is the code below. First you are escaping the data using mysql_real_escape_string() and then you are un-escaping the escaped data using stripslashes().
PHP Code:
$first = mysql_real_escape_string($_POST['first']);
$middle = mysql_real_escape_string($_POST['middle']);
$last = mysql_real_escape_string($_POST['last']);
$email = mysql_real_escape_string($_POST['email']);
$wphone = mysql_real_escape_string($_POST['wphone']);
$cphone = mysql_real_escape_string($_POST['cphone']);
$username = mysql_real_escape_string($_POST['username']);
$location = mysql_real_escape_string($_POST['location']);
/* Let's strip some slashes in case the user entered
any escaped characters. */
$first = stripslashes($first);
$middle = stripslashes($middle);
$last = stripslashes($last);
$email = stripslashes($email);
$wphone = stripslashes($wphone);
$cphone = stripslashes($cphone);
$username = stripslashes($username);
$location = stripslashes($location);
Basically you are doing the following:
PHP Code:
$first = stripslashes(mysql_real_escape_string($_POST['first']))
Which is the same thing as:
PHP Code:
$first = $_POST['first']
stripslashes() needs to be executed before mysql_real_escape_string() or removed entirely