The major flaw of this code is that it is using string data to compose a query; and
you should never ever do it because this is too dangerous from the security standpoint.
The data can come from anywhere, including user input. In this case, it can be anything, including… a fragment of SQL code. This simple idea explain a well-known exploit called
SQL Injection:
http://en.wikipedia.org/wiki/SQL_injection[
^].
This article also explain the importance of
parameterized statements. You need to use them in your code. Please see:
http://msdn.microsoft.com/en-us/library/ms254953.aspx[
^].
—SA