Query Not Working

The simple query below is not working. Any idea why? When I echo the three variables, the correct values are returned, so I know I have variables.

Thanks in advance,

John

$comment = $_POST['comment'];
$uid = $_POST['uid'];
$subid = $_POST['submissionid'];


echo $comment;
echo $uid;
echo $subid;

mysql_connect("mysqlv12", "username", "password") or die(mysql_error());
mysql_select_db("database") or die(mysql_error());


$query = sprintf("INSERT INTO comment VALUES 开发者_运维技巧(NULL, '%s', '%s', '%s', NULL, NULL)", $uid, $subid, $comment);

mysql_query($query);

The query looks fine on the surface. What are the values you're inserting? Do any of them have a single quote in them? I'd guess the comment field is the likeliest culprit for that. Your code is utterly vulnerable to SQL injection as it stands now. You should replace all the variable assignments as follows, for a bare minimum of security:

$comment = $_POST['comment'];

becomes

$comment = mysql_real_escape_string($_POST['comment']);

This will also incidentally take care of any single quotes that may be causing your query to fail. As well, you do need to check if the query succeeded:

mysql_query($query) or die (mysql_error());

which would immediately tell you if there were any problems (sql syntax error, database server died, connection failed, etc...)