Consider what will happen to your query with $name = "; DELETE PY_EMP-SHADOW;" (← deliberately misspelled for your protection). The semicolons will end the original SELECT statement that you started and begin a new, statement that you did not intend. It will delete that important data you are keeping!! A malicious person could take other actions as well. This is called "SQL injection".

Constructing a SQL query using user-supplied strings is a very bad habit to get into for this reason. Using placeholders (the approach roboticus and others are recommending) is a much better approach. Use it whenever possible. Placeholders also take care of all those nasty problems with quotes and other special characters. If a user enters their name as "Jim; Delete ...", using placeholders, that is precisely what his name will be set to. No wierd side-effects.