MySQL won't complete registeration

[Jernu]

Hello, I am making a registration form and I get an error:
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for thhe right syntax to use near" at line 1"
This is the create.php

PHP Code:

<?php include("inc/incfiles/header.inc.php"); ?>

<?php

$reg = @$_POST['reg'];
$fname = @$_POST['firstname'];
$lname = @$_POST['lastname'];
$username = @$_POST['username'];
$email = @$_POST['email'];
$password = @$_POST['password'];
$password2 = @$_POST['password2'];
$u_check = @$_POST[''];

// reg form
$firstname = strip_tags(@$_POST['firstname']);
$lastname = strip_tags(@$_POST['lastname']);
$username = strip_tags(@$_POST['username']);
$email = strip_tags(@$_POST['email']);
$password = strip_tags(@$_POST['password']);
$password2 = strip_tags(@$_POST['password2']);

if ($reg) {
// Check if user already exists
$u_check = mysql_query("SELECT username FROM users WHERE username='$username'");
// Count the amount of rows where username = $un
$check = mysql_num_rows($u_check);
if ($check == 0) {
//check all of the fields have been filed in
if ($firstname&&$lastname&&$username&&$email&&$password&&$password2) {
// check that passwords match
if ($password==$password2) {
// check the maximum length of username/first name/last name does not exceed 25 characters
if (strlen($username)>25||strlen($firstname)>25||strlen($lastname)>25) {
echo "The maximum limit for username/first name/last name is 25 characters!";
}
else
{
// check the maximum length of password does not exceed 25 characters and is not less than 5 characters
if (strlen($password)>30||strlen($password)<5) {
echo "Your password must be between 5 and 30 characters long!";
}
else
{
$query = mysql_query("INSERT INTO users VALUES ($firstname,'$lastname','$username','$email','$password'"); die(mysql_error());
die("Well done, you've made your account. <a href=\"logout.php\"Logout?");
}
}
}
else {
echo "<img src='img/x.png'>Your passwords don't match!";
}
}
else
{
echo "Please fill in all of the fields";
}
}
else
{
echo "Username already taken ...";
}
}
?>
<br /><br /><br /><br />
<form action='create.php' method='POST'>
<div id="create">
    <table>
        <tr>
            <td> First Name: </td>
            <td><input type="text" name="firstname" /></td>
        </tr>
        <tr>
            <td> Last Name: </td>
            <td><input type="text" name="lastname" /></td>
        </tr>
        <tr>
            <td> Username: </td>
            <td><input type="text" name="username" /><br /></td>
        </tr>
        <tr>
            <td> Email: </td>
            <td><input type="text" name="email" /><br /></td>
        </tr>
        <tr>
            <td> Password: </td>
            <td><input type="password" name="password" /><br /></td>
        </tr>
        <tr>
            <td> Repeat Password: </td>
            <td><input type="password" name="password2" /><br /></td>
        </tr>
        <tr>
            <td><input type="submit" name="reg" value="Sign Up!"></td>
        </tr>
    </table>
</div>
</form>

[NogDog]

I'm guessing you want quotes around $firstname in the insert query.

Also, you need to add some escaping (see the mysql_real_escape_string() function) to protect against sql injection errors/attacks.

Better yet, you could upgrade to the MySQLi or PDO extensions and make use of prepared statements and bound parameters so that you don't have to do the escaping yourself (with the added bonus that you don't have to worry about the fact that the old MySQL extension is now officially deprecated in PHP.