You'll need to escape the values before you put them into the query:
$hnum = mysql_real_escape_string($_POST['hnum']);
$query = "INSERT ... VALUES('$hnum')";
If you have a lot of values, you can loop over them:
$values = $_POST;
foreach ($values as &$value) {
$value = mysql_real_escape_string($value);
}
$query = "INSERT ... VALUES('$values[hnum]')";
you need to use this function like this
....VALUES (".mysql_real_escape_string('$_POST[hnum]').",...
You're running mysql_real_escape_string on the variables AFTER inserting them into the string!
You'd want to do
$hnum = mysql_real_escape_string($_POST[hnum]),
$rnum = mysql_real_escape_string($_POST[rnum]);
$adate = mysql_real_escape_string($_POST[adate]);
$sqlque="INSERT INTO t2 (HOSPNUM, ROOMNUM, ADATE, ADTIME, LASTNAME, FIRSTNAME, MIDNAME, CSTAT, AGE, BDAY, ADDRESS, TELNUM, SEX, STAT, STAT2, STAT3, STAT4, STAT5, STAT6, STAT7, STAT8, NURSE)
VALUES ($hnum,$rnum,$adate', //etc.
Even better, don't create SQL queries out of string substitution at all. I suggest using PDO and prepared statements/parameterized queries. A prepared statement takes care of escaping the input for you. Here's a good link with a rundown of how to use PDO instead of the mysql_* commands.