MySQL error when adding special characters, specialy at sign, even with mysql_real_escape_string() method

I am tying to make a user system with a mysql database. I have tried to insert a row into a table with the following php code:

$UserCreateQueryText = "INSERT INTO  users (
Username, Password, FirstName, LastName, eMail, ID, ClearanceLevel)
VALUES (
" . $User . ", " . $Password . ", " . $FirstName . ", " . $LastName . ", " . $eMailToUse . ", NULL, 1)";

$UserCreateQuery = mysql_query($UserCreateQueryText) or die(" User creation query error: " . mysql_error());

The Variables I used are defined as follows:

$User = mysql_real_escape_string($_GET["Username"]);
$Password = mysql_real_escape_string($_GET["Password"]);
$FirstName = mysql_real_escape_string($_GET["FirstName"]);
$LastName = mysql_real_escape_string($_GET["LastName"]);
$eMail = mysql_real_escape_string($_GET["eMail"]);

I used $_GET so I could see the variables were actually being passed correctly.

So, if I inserted a eMail (example@domain.com) the result of $UserCreateQueryText would be:

INSERT INTO  users (
Username, Password, FirstName, LastName, eMail, ID, ClearanceLevel)
VALUES (
username, password, Name, LastName, , NULL, 1)

so getting the eMail field clear and an error is thrown back:

User creation query error: You have an err开发者_开发技巧or in your SQL syntax; check the manual
that corresponds to your MySQL server version for the right syntax to use near
' NULL, 1)' at line 4

-Ric Del (foxtailgames.com.mx)

---

You need to quote string values:

INSERT INTO ... VALUES ('String', 'string', ...)

Currently you're not:

INSERT INTO ... VALUES(Foo, Bar@baz.com, ...)

That gives the syntax error.