Is there any reason you don't verify that param("max_rec") is one of the numbers that you expect (or at least a number)?

Consider sanity checking all of the form parameters before you do anything else. Depending on the structure of your app, you might want to re-issue the form if any of the parameters are bad, or you might want to just issue an error page. (In the case of a pop-up menu, if you get bad data you either have a programming error, or someone is trying to hack you. An error page is a reasonable response to either case.)