Be careful with Database statements

The way the Database queries are constructed f.e. here it is possible to inject SQL instead of a legit parameter like it is expected.

Make sure to use prepared statements to prevent this from happening: https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php