你有一个 SQL 注入，在发送到任何用户提交或以其他方式可能被篡改的数据之前，总是应用 mysql_real_escape_string()一个 MySQL 数据库.

You have an SQL injection, always apply mysql_real_escape_string() to any user-submitted or otherwise potentially tampered-with data before sending to a MySQL database.

注意电子邮件变量周围的 '.

Note the ' around the email variable.

$email = mysql_real_escape_string($_POST['email']);

$query = "
SELECT name, smacker, surname, sex, age, nationality, email
FROM employee
WHERE email = '$email'
";