Yes, SQL injection could possible be an issue here, if the data in ColumnText is written such way.
But since the beginning of the UPDATE-statement is hardwired with "UPDATE", I right now can't see a way to manipulate the statement to run SQL injection code.
N 56°04'39.16"
E 12°55'05.25"