If you have a variable that comes from user input, it’s essential that you use the ? rather than concatenating the strings. Users might enter a string maliciously, and if you drop the string straight into SQL it can run a command you didn’t intend.
I realise this one is overused, but it says it perfectly: