Warning: A good practice is that you should always use parameters and not string concatenation regardless if the query is privately or publicly generated. One day, the query may be made public then it will be open to
SQL Injection attacks[
^] which will compromise the security of the data.