You’re a sitting duck for a potential SQL injection attack with that code as no attempted is made to validate the user submitted data and the user submitted data isn’t escaped either!
Also you need to be aware that the old mysql_* extension is deprecrated in version 5.5 of PHP (current version) and is being removed from version 7 (the next version). You need to migrate over to using either the mysqli_* extension or PDO. Whichever of the two you go for you need to use prepared statements when dealing with data submitted by the user, having first validated the data that has been submitted by the user.