If you are concerned about the value given to $max_recs1 = param("max_rec"); (which you definitively should be), then you should verify it's contents before using it in your SQL query.

I'd check that the value is an integer value, positive and smaller or equal to some max value you will have to decide. (In your case typically 120. ;-)