In the data that sometimes includes sql command and possibly other data, there may be ' characters. Since that is what you are using to delimit your text, you are going to need to escape the single quotes ('). Otherwise, mySql will not be able to parse your statement.

It's usually a good idea to escape all data--including numeric columns, especially if the form is to be used openly on the web. I use regular expressions to do the escaping:

sub mysql_escape {
	my $string = @_[0];
	$string =~ s/\\/\\\\/g ;
	$string =~ s/\n/\\n/g ;
	$string =~ s/\r//g ;
	$string =~ s/\'/\\\'/g;
	$string =~ s/\"/\\\"/g;
	return $string ;
}

There may be a better way to do this. This sub escapes the following characters:
Backslash(\), newline(\n), return (\r), single quote ('), double quote (").

To use in your code you could do something like:

$text5 = &mysql_escape($q->param('textarea'));