[Nico]

Half. Use mysql_real_escape_string() on all user defined variables you're going to insert.

And you can do it directly like this.

PHP Code:

$free_text = mysql_real_escape_string($_POST['free_text']);

$awards_text = mysql_real_escape_string($_POST['awards_text']); 

And if $id2 is supposed to be a numeric value, I'd use intval() on it.

PHP Code:

$id2 = intval($_POST['id2']); 

www.php.net/intval