The "date" you get from frontend has not been filtered, and you use this "date" to execute SQL directly, this may cause SQL injection. for your situation, the "date" is just used as a condition of SQL. from the code you showed, I don't think this would be a stored-XSS, but I recommend you to do a filter function a limitate the "date" to avoid SQL injection.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…