I couldn't help but notice that you're doing absolutely no screening of POST variables for malicious code or characters, nor is there even any checking to make sure the data types are correct. You're just blithely taking raw POST vars and sticking them into a SQL statement. It's difficult for me to describe just how incredibly foolhardy and dangerous that is.
I sincerely hope this code isn't accessible from the web or you're in for some extremely rude surprises.