Use a parameterized statement like in your insert:
connetion = New SqlConnection("my conetion string")
connetion.Open()
cmdtabela = connetion.CreateCommand
cmdtabela.CommandText = "update tbltest set name=@name, lastname=@lastname, foto=@foto where Id=@id"
cmdtabela.Parameters.AddWithValue("name", txtname.Text)
cmdtabela.Parameters.AddWithValue("lastname", txtlastname.Text)
cmdtabela.Parameters.AddWithValue("id", txtid.Text)
Dim ms As New MemoryStream()
PictureBox3.BackgroundImage.Save(ms, PictureBox3.BackgroundImage.RawFormat)
Dim data As Byte() = ms.GetBuffer()
Dim p As New SqlParameter("Foto", SqlDbType.Image)
p.Value = data
cmdtabela.Parameters.Add(p)
It's always worth parameterising any query or statement you run against a database for security:
https://www.owasp.org/index.php/SQL_Injection[
^]