Here is a link to a guide on how to prevent SQL injection: How can I prevent SQL injection in PHP?
From that same post here is a snippet that would help you to prevent SQL injection to your Query, using mysql_real_escape_string().
$safe_variable = mysql_real_escape_string($_POST["user-input"]);
mysql_query("INSERT INTO table (column) VALUES ('" . $safe_variable . "')");
You should also not be using mysql_* functions any more, they are all obsolete and unsafe. You should be using mysqli_* or PDO.