Your code should be parsing the text input before executing an sql statement. The way you have it written, a clever hacker type could insert almost anything in there and screw up your database.
And when it happens the database administrator may be knocking on your door with some very bad news about your future employment with the company.