Fix SQL Injection Vulnerability in Raw Query

User input is directly concatenated into SQL query, allowing SQL injection attacks.