bad practice with that query, much better off using parameters to protect against any possible sql injection.