Use mysqli or PDO instead.

In pdo your code would look like – this is SAFE:

$query = $pdo->prepare("Insert Into
    deney (vid,yazan,email,yorum,ip,tarih,durum,yeri)
    values (:id, :yazan, :email, :yorum, :ip, Now(), 1, :yeri)");
$query->execute(array(
    'id' => $id,
    'yazan' => $yazan,
    'email' => $email,
    'yorum' => $yorum,
    'ip' => $ip,
    'yeri' => $yeri
));

This way PDO does the escaping for you and it’s safe against sql injection.

To create a mysql connection via PDO use:

$pdo = new PDO("mysql:dbname=$dbname", $username, $password);

I usually add a 4-th parameter to that as well, since I like to write all my code in utf-8, 4th parameter is in my case array(PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES utf8").

Just to clarify the following is NOT SAFE – DO NOT USE:

$pdo->prepare("Insert Into
        deney (vid,yazan,email,yorum,ip,tarih,durum,yeri)
        values ('$id', '$yazan', '$email', '$yorum', '$ip', Now(), 1, '$yeri')");

If you insist on using mysql_query, but that is NOT RECOMMENDED, you need to do it like this

mysql_query("Insert Into deney (vid,yazan,email,yorum,ip,tarih,durum,yeri) values ('"
    . mysql_real_escape_string($id) . "', '"
    . mysql_real_escape_string($yazan) . "', '"
    . mysql_real_escape_string($email) . "', '"
    . mysql_real_escape_string($yorum) . "', '"
    . mysql_real_escape_string($ip) . "', Now(),'1','"
    . mysql_real_escape_string($yeri) . "')");