Help?

Don't know if you guys help round here but ill give it a go.

This is SQL

query = "UPDATE event_info"
        + "SET PLACES = PLACES   -1 "
        + "WHERE EID = '"+intID+"' ";
stmt.execute(query);

Whats wrong here? its a booking system When i book i want available places to go down by 1, Places is an int EID is also an int

Whats wrong here?
This code is vulnerable to SQL injection.

Let Me rephrase.

Why doesn't Places Get negated when i enter a valid ID to negate from

>>1
Ensure there is a space at the end of each "line" of your SQL.
As it is your string concatenates to
UPDATE event_infoSET PLACES = PLACES   -1 WHERE EID = $$
Also as >>2 says $$ (intID) is vulnerable to somehow become
'0; SELECT \'LISP\';'

>>4

Wow Jesus that makes me feel dumb, Im new to this SQL stuff and didn't realise a new line wouldn't have created a space.
Thanks