Escaping against mysql attacks

1

i feel that i am nearly there but am not sure why i am getting this error. i borrowed and adapted this code to suit but am falling at the last hurdle. please can someone advise as to whether the code is right and also what am i missing.

<?php echo "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?".">"; ?>
 
<head>
<SCRIPT LANGUAGE="JavaScript">
function redirect () { setTimeout("go_now()",1800000); }
function go_now ()   { window.location.href = "competition_ferrari.php"; }
</script>
<link rel="STYLESHEET" type="text/css" href="partystylesheet.css">
<title>COMPETITION - WIN A FERRARI</title>
</head>
<?php
require("mail.inc.php");
if(isset($_POST['Submit'])){
    $dbhost = 'localhost';
    $dbuser = '';
    $dbpass = '';
    $dbname = 'formresults';
    $connection = mysql_connect($dbhost, $dbpass, $dbuser) or die(mysql_error());
    if(!is_resource($connection)) {
        echo "Failed to connect to the server
";
        // ... log the error properly
    } else {     
        // Reverse magic_quotes_gpc/magic_quotes_sybase effects on those vars if ON.
        if(get_magic_quotes_gpc()) {
            $name               = stripslashes($_POST['name']);
            $address            = stripslashes($_POST['address']);
            $pcode              = stripslashes($_POST['pcode']);
            $email              = stripslashes($_POST['email']);
            $terms              = stripslashes($_POST['terms']);
            $specialoffers      = stripslashes($_POST['specialoffers']);
            $newsletter         = stripslashes($_POST['newsletter']);
        } else {
            $name               = $_POST['name'];
            $address            = $_POST['address'];
            $pcode              = $_POST['pcode'];
            $email              = $_POST['email'];
            $terms              = $_POST['terms'];
            $specialoffers      = $_POST['specialoffers'];
            $newsletter         = $_POST['newsletter'];
        }
    $db_selected = mysql_select_db('formresults', $connection);
    mysql_select_db($dbname) or die(mysql_error());
    $name = $_POST['name'];
    $address = $_POST['address'];
    $pcode = $_POST['pcode'];
    $email = $_POST['email'];
    $terms = $_POST['terms'];
    $specialoffers = $_POST['specialoffers'];
    $newsletter = $_POST['newsletter'];
    $query = sprintf("INSERT INTO competition_ferrari (name, address, pcode, email, terms, specialoffers, newsletter) VALUES ('$name', '$address', '$pcode', '$email', '$terms', '$specialoffers', '$newsletter')", mysql_real_escape_string($name, $connection),mysql_real_escape_string($address, $connection), mysql_real_escape_string($pcode, $connection), mysql_real_escape_string($email, $connection), mysql_real_escape_string($terms, $connection), mysql_real_escape_string($specialoffers, $connection), mysql_real_escape_string($newsletter, $connection), $_POST['Submit']);
mysql_query($query) or die(mysql_error());
if (mysql_affected_rows($connection) > 0) {
echo "<div class='mainimage'><img src='../images/ferraricompmain_web.jpg'/></div>";
echo "<div class='clearfix'></div>";
echo "<table width='100%' cellspacing='0' cellpadding='4' class='textstyle12b'><tr><td>";
echo "<strong>Thank you for entering our 'WIN A FERRARI' competition</strong><br><br>";
echo "<br><br>";
echo "</td></tr></table>"; 
echo "<body onLoad=redirect() text=#000000 link=#00FFFF vlink=#C0C0C0>"; 
echo "</body>";
}
}
} else {
    if (empty($_POST['name']) || empty($_POST['address']) || empty($_POST['pcode']) || empty($_POST['email']) || empty($_POST['terms']) || empty($_POST['specialoffers']) || empty($_POST['newsletter'])) 
{ 
    echo "<div class='mainimage'><img src='../images/ferraricompmain_web.jpg'/></div>";
    echo "<div class='clearfix'></div>";
    echo "<span class='textstyle'>";
    echo "Please return back to complete the missing fields"; 
    echo "</span>";
    echo "<form>";
    echo "<input type='button' value='Go Back' onclick='history.back(-1)' class='textstyle'>";
    echo "</form>";
    exit;
} 
if(!preg_match("/\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*/", $_POST['email'])) 
{ 
    echo "<body  leftmargin='0' topmargin='0'>";
    echo "<div class='mainimage'><img src='../images/ferraricompmain_web.jpg'/></div>";
    echo "<div class='clearfix'></div>";
    echo "<table width='100%' cellspacing='0' cellpadding='4' class='textstyle'><tr><td>";
    echo "<form>";
    echo "Enter a valid email address<br /><br /><input type='button' value='Go Back' onclick='history.back(-1)'>"; 
    echo "</form>";
    echo "</td></tr></table>";
    echo "</body>";
    exit;
}
}
}
else
{
?>
<body>
<div class="mainimage" style="text-align:left">
 <img src="../images/ferraricompmain_web.jpg">
</div>
<div class="clearfix"></div>
<form id="form1" name="form1" method="post" action="competition_ferrari.php">
<div class="attribute">*Name: </div><div class="txfields"><input name="name" type="text" size="50" maxlength="255" id="name" />
</div>
<div class="clearfix"></div>
<div class="attribute"> *Address: </div>
<div class="txfields">
  <textarea name="address" cols="50" rows="4" id="address"></textarea>
</div>
<div class="clearfix"></div>
<div class="attribute">*Post Code: </div>
<div class="txfields"><input name="pcode" type="text" size="20" maxlength="255" id="pcode" />
</div>
<div class="clearfix"></div>
<div class="attribute">*Email Address: </div><div class="txfields"><input name="email" type="text" size="50" maxlength="255" id="email"/></div>
<div class="clearfix"></div>
<div class="attribute" style="height: 220px">&nbsp; </div><div class="txfields">
<p>Terms &amp; Conditions<br/>
1. No purchase necessary - this is a free prize draw. <br/>
2. Closing date for entry into the Ferrari free prize draw is 05/12/08.<br/>  
3. Winner will be picked at random from all entries received on 07/12/08. <br/>
4. Winner will be notified within 21 days of closing date by either e/mail or phone that they have won the bike. <br/>
5. If the prize is not claimed within 21 days of notification, another prize winner will be drawn and the original prize winner forfeits the prize. <br/>
6. The prize fund consists of 1 x Ferrari CX 20 Cycle, suitable for children aged 6 - 8 years.<br/>
7. In the event the prize becomes unavailable, it may be replaced by one of equal or greater value. <br/>
8. One entry per household.<br/>
9. The prize is non-transferable and non-refundable. There is no cash alternative.<br/> 
10. Offer is open to residents of UK mainland only. <br/>
11. Promoter's decision is final and in the event of a dispute, no correspondence will be entered into. <br/>
12. Prize draw is not open to employees or families of Hamleys.<br/>
13. Promoter: Hamleys of London.<br/>
14. The winner's name will be made available if you write to: Hamleys, 6th Floor 2 Fouberts Place, London, W1F 7PA. <br/></p></div>
<div class="clearfix"></div>
<div class="chkbx"><input name="terms" type="checkbox" value="yes"  id="terms"/>
</div>
<div class="chkbxtxt">*I have read and agreed to the terms and conditions</div>
<div class="clearfix"></div>
<div class="chkbx"><input name="specialoffers" type="checkbox"  id="specialoffers" value="yes" checked/>
</div>
<div class="chkbxtxt">*YES, I would like to recieve special offers</div>
<div class="clearfix"></div>
<div class="chkbx">
  <input name="newsletter" type="checkbox"  id="newsletter" value="yes" checked/>
</div>
<div class="chkbxtxt">*YES, I want to recieve the Hamleys.com email newsletter full of orders, exclusive products and competitons.
</div>
<div class="clearfix"></div>
<div class="submitbutton"><input name="Submit" type="submit" value="Enter" />
</div>
<div class="clearfix"></div>
<div class="chkbxtxt">*please fill in all fields.
</div>
</form>
 
</body><?php
}
?>