my actual code is:

$agent_id=mysql_real_escape_string($_GET['memberid']);

$result = mysql_query("SELECT id,ac_no,agent_name FROM ankali_slabpay WHERE agent_id=$agent_id ORDER BY id DESC LIMIT 1");
$row = mysql_fetch_array($result);
$ac_number=$row['ac_no'];
$agent_name=$row['agent_name'];
?>
<?php 
$b = array(000350,000400,000450); //pre-defined installment amount values
$replacement = "000000";
$cust_mast = '$C21';
$bank_name = 'KISAN SWARAJ';
$dfile = "READ ME CUSTOMERS.txt";
$fo = fopen($dfile, 'w') or die("can't open file");
$stringData1 =str_pad($cust_mast, 0, STR_PAD_LEFT).",".str_pad($bank_name, 20, ' ',STR_PAD_RIGHT).",".str_pad($agent_id, 2, STR_PAD_LEFT).",".str_pad($agent_name, 24, ' ',STR_PAD_RIGHT).","."123456".",".str_pad('123456', 69, ' ', STR_PAD_RIGHT)."@"."\r\n";
fwrite($fo, $stringData1);

$select = mysql_query("SELECT ac_no, cust_name, GROUP_CONCAT(install_amt SEPARATOR ',') as installamt FROM ankali_slabpay  WHERE agent_id=$agent_id GROUP BY ac_no");
$e=array();
$inst_result=array();
while($row1 = mysql_fetch_assoc($select)){
$e[] = $row1['installamt'];
$a=implode(",",$e);

$i=0;
foreach($b as $k=>$v)
{
    if($v==$a[$i])
    {
        $b[$k]='000000'; //replace with 000000 if both values are same i.e. $b == $a
    }
    $i++;
}
$arr2=implode(",",$b);

$stringData2=str_pad($row1['ac_no'], 4, '0', STR_PAD_LEFT).",".str_pad($row1['cust_name'],20, ' ', STR_PAD_RIGHT). ",".$arr2."@"."\r\n";
fwrite($fo, $stringData2);
}
$stringData3="";
fwrite($fo, $stringData3);
fclose($fo);
header("Content-Disposition: attachment; filename=$dfile");
header("Content-Type: application/octet-stream; "); 
readfile($dfile);

the output should be:

$C21,KISAN SWARAJ        ,10,ROBERT                  ,123456,123456                      @
0001,MICHAEL             ,000000,000400,000450@
0005,KIM                 ,000350,000400,000450@

Could you also post what the output actually is at the moment? That should help myself and others to find out where you're going wrong easier.

What I will comment on within your code though is that your use of mysql_real_escape_string() (MRES) is nugatory. The MRES function was designed to escape quotes (both single and double) and backslashes. Because you aren't encasing the $agent_id variable within either of these quotes within your query, SQL code can be directly entered into the query and it will not be treated as a harmless string - it will be executed against your database. To avoid this problem, you can validate the $agent_id variable prior to using it within your query, perhaps through type-casting it to an integer:

<?php
$clean['id'] = (int) $_GET['memberid'];

$result = mysql_query("SELECT id,ac_no,agent_name FROM ankali_slabpay WHERE agent_id=$agent_id ORDER BY id DESC LIMIT 1");

You should also eschew using the original mysql extension since it has been deprecated as of PHP 5.5.0.

the output is:

$C21,KISAN SWARAJ        ,10,ROBERT               ,123456,123456       @
0001,MICHAEL             ,232,256,296@
0005,KIM                 ,232,256,296@
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.