一個Java程序員寫了下面一段代碼，
String artist = request.getParameter(“artist”);
String genre = request.getParameter(“genre”);
String album = request.getParameter(“album”);
Statement s = connection.createStatement();
s.executeQuery(“SELECT() FROM music WHERE artist = ‘” + artist +
‘” AND genre = ‘” + genre + ‘” AND album = ‘” + album + “’”);
請問從安全角度來說有什么問題？ ()