$sql = "INSERT INTO people ($columns) VALUES ('$values')";
This is going to put one string literal into the VALUES clause, a single quoted string containing a comma-separated list of values:
INSERT INTO people (...columns...) VALUES ('Chris Runo, 2, No, Yes, No, Yes, Yes, No, Straight, No, No, No, No, No, No, No, Yes, No, No, No, No, No, No, No, No, dark_brown, classic')
To solve this, you could write your own quoting/escaping function and use it in array_map():
function myquote($val)
{
return "'" . mysql_real_escape_string($val) . "'";
}
$escaped_values = array_map('myquote', array_values($person));
$values = implode(", ", $escaped_values);
$sql = "INSERT INTO people ($columns) VALUES ($values)";
Or else you could abandon the deprecated mysql_* function, and use PDO, which makes it much easier to write queries that are safe from SQL injection:
$columns = implode(", ",array_keys($person));
$params = implode(",", array_fill(0, count($person), "?"));
$sql = "INSERT INTO people ($columns) VALUES ($params)";
$stmt = $pdo->prepare($sql) or die(print_r($pdo->errorInfo(), true));
$stmt->execute(array_values($people)) or die(print_r($stmt->errorInfo(), true));