The advice by dbrenth is correct. I would like to add the warning way more important than character input: failure to use parametrized statements make the application very unsafe
With the query string composed of some data, you can get some strings from, say, user input; and it can be anything; for example… SQL code. This way, your application is vulnerable to a well-known exploit called SQL Injection
. Please see:
Read about the importance of parametrized statements
. Except for safety, they are important for performance and consistence as they are types, in contrast to strings.
By the way, you also should not use repeated string concatenation ('+') for performance reasons; because strings are immutable;
are free from this problem.