Use named parameters like :st, :comm, :comments in your query, then...
$db->prepare($query)->execute($_POST);
KISS - keep it stupid simple.
Be warned of POST modifications/missing aspects though, depending on MySQL settings (and other things) missing columns could cause the query to die and not be executed. Additionally other columns could be added to further retard the query, not super easy if the client is shooting blind, but with enough time and determination someone could break your stuff.
