Well, you definitely need to do some verification of the inputted data.
For instance, I could enter "abcdefg" in the phone number field, and it would still store it in the database.
Apart from that: your code is vurnarable for database injection; I can simply enter a query into one of the fields, telling to destroy everything in the current table, and it will perfectly work with your script.