I'd say it's likely to be a bad idea to accept user input directly into a database query that way. As you say yourself, it's trivial to pass arbitrary commands into the script, and hence on into the database query.

As far as returning a maximum number of results goes, I'd probably verify that you're getting a number, and only a number, back from the webpage. You can do this quite easily with a regexp, and it'd probably just add one line to your source code.

It's always a good idea, when you're accepting data into your script from an unknown source, to verify the data is exactly in the format you expect.

Hope that helps a little ...
-- Foxcub
A friend is someone who can see straight through you, yet still enjoy the view. (Anon)