You will want to refactor this code to use place holders instead. See for example the section on place holders in Databases made easy.