Please use this forum's [noparse]
[/noparse] bbcode tags around your code samples.
If any/all of those values are strings, their variables will need to be single-quoted within your SQL.
Note that your code is open to SQL injection attacks/errors due to those inputs not being escaped. Better yet: use the more up-to-date MySQLi or PDO extension with prepared statements and bound parameters in order to automatically handle input escaping where needed.