$FIO=$_POST['FIO']; ... $zapros="SELECT * FROM `$FIO`";
$zapros = 'SELECT * FROM `'.addslashes($_POST).'`';
$zapros = 'SELECT * FROM `'.mysql_real_escape_string($_POST).'`';