Please be aware that this can be susceptible to SQL Injection.
For safety, it is always better to use Stored Procedures or Parameters