Ok, so you have a SELECT so, you'll get those details into PHP.
Why don't you just make the replace into PHP?
" select ... ".REPLACE(NearMissDetails, " ", " ")." ... WHERE "
This is not a valid code. There is no function named REPLACE in PHP. Also, your NearMissDetails will be a constant and in case it's not defined, you'll just get NearMissDetails, as string.
same invalid code here
"SELECT col1, col2, ".mysql_real_escape_string(Anyimmediateactions)." FROM ..."
So, to make it from SQL, you'd need something like:
DATE_FORMAT(DateOccured, '%e-%c-%Y %H:%i') as DateOccurred,
REPLACE( NearMissDetails, ' ', ' ' ) NearMissDetails,
Behaviours, PotentialOutcome, Likelihood, Comments, PersonsMostLikelyInjured,
CloseDate, HighPotentialIncident, HPIInvestigatedBy, BUHSELeader, BUSectorLeader,
HPIInvestigationConclusion, HPIBriefingNoteRef, HPIInvestigationCloseOutDate
ORDER by DateOccured ASC";
Here, the $sqlstar is the security concern, not Anyimmediateactions (that cannot have mysql_real_escape_string because it's still into your MySql)