The code passes user input as part of a SQL query without escaping special elements.
It generates a SQL query using
with the user-supplied data directly passed as an argument
sprintf. This leaves the code vulnerable to attack by SQL Injection.
Use a library routine to escape characters in the user-supplied string before converting it to SQL.