Put the values inside single quotes:
$sql=" INSERT INTO show_reviews (username, date, content, show) VALUES ('".addslashes($_POST[username])."','".addslashes($_POST[date])."','".addslashes($_POST[content])."','".addslashes($_POST[show])."')";
Also, as others have said, show is a reserved keyword in MySQL. You can see the full list of reserved keywords for MySQL 5.5 at http://dev.mysql.com/doc/refman/5.5/en/reserved-words.html
You can specify reserved words using the back side to be able to use them:
INSERT INTO show_reviews (username, date, content, `show`)
Quote IDs: http://dev.mysql.com/doc/refman/5.5/en/identifiers.html
Finally, summarize the comments about using addslashes() for escaping. I will let Chris Shiflett explain why this is bad: http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
You really have to jump aboard prepared statements / parameterized queries using PDO or, at least, MySQLi. Here is an example of what the query looked like:
$dbh = new PDO($connection_string); $sql = "INSERT INTO show_reviews (username, date, content, show) VALUES (?, ?, ?, ?)"; $stmt = $dbh->prepare($sql); $stmt->execute(array($_POST['username'], $_POST['date'], $_POST['content'], $_POST['show'] )); while ($row = $stmt->fetch()) { print_r($row); }
This is just an example, it’s still good to disinfect your $ _POST variables and do everything possible so that the data you receive is exactly what you were trying to get. These prepared statements take care to elude you correctly and, if you use PDO, the right way for your particular database engine.