Vinyl-Junkies answer is wrong.
Oh, his point
will be seen as MySQL as a string literal is correct. But you *WANT* it to be seen as a string literal!!! Your INSERT will never work if those are not seen as MySQL as string literals. Without the apostrophes, the values can only be numbers or the names of columns in the DB.
Just *AFTER* you assign the sql string to the $sql
variable, add in a DEBUG line:
echo "<hr/>DEBUG SQL: " . $sql . "<hr/>\n";
and then show us what that debug line shows you.