Problem while using variables in Mysql query

I have been trying to get my insert query working properly but it won't work, When i replace the variables with actual text tho it works
eg, mysql_query("INSERT INTO friend (id, user, comment, date, avatar) VALUES ('', 'Name', 'This is a comment', '', 'Op')");

But if i then do it the normal way like this it doesn't work even if i have the variables set to a specific string such as: $username = 'bob';

mysql_query("INSERT INTO $friend (id, user, comment, date, avatar) VALUES (''," . $username . ", " . $newComment . ", " . $date . ", " . $status . ")");

I really don't know what else to try?


<?php session_start();
$username = $_SESSION['user'];
$friend = $_COOKIE['friend'];
$newComment = $_POST['profileComment'];
$date = date('y-m-d h:i');
$status = $_COOKIE['status'];
$commentPost = $_POST['ProfileCommentSubmit'];


if($commentPost)
{
if(strlen($newComment)>4)
{
if(strlen($newComment)<501)
{
mysql_connect('localhost','root','D00134152');
mysql_select_db('minecraft_profile_comments');
mysql_query("INSERT INTO $friend (id, user, comment, date, avatar) VALUES ('', $username, $newComment, $date, $status)");
setcookie('note','* Comment successfully posted',time()+3600,'/');
header('Location: ../notification.php');
}
else
{
setcookie('note','* Comment is too long',time()+3600,'/');
header('Locate: ../notification.php');
}
}
else
{
setcookie('note','* Comment is too short',time()+3600,'/');
header('Locate: ../notification.php');
}
}
else
{
header('Locate: ../forum.php');
}
?>

I have been trying to get my insert query working properly but it won't work, When i replace the variables with actual text tho it works
eg, mysql_query("INSERT INTO friend (id, user, comment, date, avatar) VALUES ('', 'Name', 'This is a comment', '', 'Op')");

But if i then do it the normal way like this it doesn't work even if i have the variables set to a specific string such as: $username = 'bob';

mysql_query("INSERT INTO $friend (id, user, comment, date, avatar) VALUES (''," . $username . ", " . $newComment . ", " . $date . ", " . $status . ")");

I really don't know what else to try?


<?php session_start();
$username = $_SESSION['user'];
$friend = $_COOKIE['friend'];
$newComment = $_POST['profileComment'];
$date = date('y-m-d h:i');
$status = $_COOKIE['status'];
$commentPost = $_POST['ProfileCommentSubmit'];


if($commentPost)
{
if(strlen($newComment)>4)
{
if(strlen($newComment)<501)
{
mysql_connect('localhost','root','D00134152');
mysql_select_db('minecraft_profile_comments');
mysql_query("INSERT INTO $friend (id, user, comment, date, avatar) VALUES ('', $username, $newComment, $date, $status)");
setcookie('note','* Comment successfully posted',time()+3600,'/');
header('Location: ../notification.php');
}
else
{
setcookie('note','* Comment is too long',time()+3600,'/');
header('Locate: ../notification.php');
}
}
else
{
setcookie('note','* Comment is too short',time()+3600,'/');
header('Locate: ../notification.php');
}
}
else
{
header('Locate: ../forum.php');
}
?>



you need to wrap your variables in single quotes for the MYSQL query:

('', '$username', '$newComment', '$date', '$status')

Also you should look at sanatizing your user input, that statement is ripe for a bit of SQL injection!

Look at prepared statements.

mysql_real_escape_string() (http://php.net/manual/en/function.mysql-real-escape-string.php) is the function you're looking for to sanitize your inputs.

If you insert user data into your database, you *must* use that function or any user could steal your data or even delete your entire database.