There are two security issues I see right off the bat.
The first one is that you're embedding variables directly into the SQL string. You should instead prepare the statement, bind the variables, and then execute the statement. This will protect you from the dreaded SQL injection. Check out the examples here: http://www.php.net/manual/en/mysqli.prepare.php. If you're feeling lazy, you can at least run the fields through mysql_real_escape_string() before embedding it:
$fullname = mysql_real_escape_string($fullname);
$photo = mysql_real_escape_string($photo);
$sql = "INSERT INTO members(fullname,photo) VALUES('$fullname', '$photo');
The second is that you are not filtering the uploaded file. A user could upload a PHP file to your server, go directly to it, and take over your site. Validate the mimetype of the file, and since it is a photo, you can throw it through some image processing functions before moving it to its final directory. Here are some great examples: http://www.php.net/manual/en/features.file-upload.php
You can check to see if a file already exists by using file_exists()