you are passing raw user input to your DB...

A serious concern here is that you can turn "where id = $something" into "where id = <anything> or 1=1" possibly letting anyone have admin access.